b"Audit Report\n\n\n\n\nOIG-11-097\nReport on the Bureau of the Public Debt Administrative Resource\nCenter\xe2\x80\x99s Description of its Financial Management Services and\nthe Suitability of the Design and Operating Effectiveness of its\nControls for the Period July 1, 2010 to June 30, 2011\nSeptember 12, 2011\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             September 12, 2011\n\n\n            MEMORANDUM FOR VAN ZECK, COMMISSIONER\n                           BUREAU OF THE PUBLIC DEBT\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:               Report on the Bureau of the Public Debt Administrative\n                                   Resource Center\xe2\x80\x99s Description of its Financial Management\n                                   Services and the Suitability of the Design and Operating\n                                   Effectiveness of its Controls for the Period July 1, 2010 to\n                                   June 30, 2011\n\n\n            I am pleased to transmit the attached Report on the Bureau of the Public Debt (BPD)\n            Administrative Resource Center\xe2\x80\x99s Description of its Financial Management Services\n            and the Suitability of the Design and Operating Effectiveness of its Controls for the\n            period July 1, 2010 to June 30, 2011. Under a contract monitored by the Office of\n            Inspector General, KPMG LLP, an independent certified public accounting firm,\n            performed an examination of the description of controls, the suitability of the design\n            and operating effectiveness of the accounting and procurement processing, and\n            general computer controls related to certain services provided by BPD\xe2\x80\x99s\n            Administrative Resource Center to various Federal Government agencies (Customer\n            Agencies) for the period July 1, 2010 to June 30, 2011. The contract required that\n            the examination be performed in accordance with generally accepted government\n            auditing standards and the American Institute of Certified Public Accountants\xe2\x80\x99\n            Statement on Standards for Attestation Engagements Number 16, Reporting on\n            Controls at a Service Organization.\n\n            In its examination, KPMG LLP found in all material respects:\n\n                \xe2\x80\xa2   the Description of Controls Provided by the BPD fairly presents the accounting\n                    and procurement processing, and general computer controls that were\n                    designed and implemented throughout the period July 1, 2010 to June 30,\n                    2011,\n                \xe2\x80\xa2   that these controls were suitably designed to provide reasonable assurance\n                    that the control objectives would be achieved if the controls operated\n                    effectively throughout the period July 1, 2010 to June 30, 2011, and\n\x0cPage 2\n\n\n       customer agencies applied the complementary customer agency controls and\n       sub-service organizations applied the controls contemplated in the design of\n       BPD\xe2\x80\x99s controls throughout the period July 1, 2010 to June 30, 2011, and\n   \xe2\x80\xa2   that the controls tested, which together with the complementary customer\n       agency controls and sub-service organizations\xe2\x80\x99 controls, if operating\n       effectively, were those necessary to provide reasonable assurance that the\n       control objectives were achieved, operated effectively throughout the period\n       July 1, 2010 to June 30, 2011.\n\nIn connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s report and related\ndocumentation and inquired of its representatives. Our review, as differentiated\nfrom an examination of the description of controls, the suitability of the design and\noperating effectiveness of controls in accordance with generally accepted\ngovernment auditing standards, was not intended to enable us to express, and we\ndo not express, an opinion on BPD's description of controls, the suitability of the\ndesign of these controls and the operating effectiveness of controls tested.\nKPMG LLP is responsible for the attached independent service auditors\xe2\x80\x99 report dated\nSeptember 2, 2011, and the conclusions expressed in the report. However, our\nreview disclosed no instances where KPMG LLP did not comply, in all material\nrespects, with generally accepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789, or a member\nof your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\x0c                   U.S. Department of the Treasury\n                      Bureau of the Public Debt\n\n\n\n                  Administrative Resource Center\n                  Financial Management Services\n             Accounting and Procurement Processing and\n                    General Computer Controls\n\n\n\n\nReport on Administrative Resource Center\xe2\x80\x99s Description of Its Financial\n Management Services and the Suitability of the Design and Operating\n                    Effectiveness of Its Controls\n            For the Period July 1, 2010 to June 30, 2011\n\x0c                                         U.S. DEPARTMENT OF THE TREASURY\n                                             BUREAU OF THE PUBLIC DEBT\n                                         ADMINISTRATIVE RESOURCE CENTER\n                                         FINANCIAL MANAGEMENT SERVICES\n\n    REPORT ON ADMINISTRATIVE RESOURCE CENTER\xe2\x80\x99S DESCRIPTION OF ITS\n FINANCIAL MANAGEMENT SERVICES AND THE SUITABILITY OF THE DESIGN AND\n               OPERATING EFFECTIVENESS OF ITS CONTROLS\n\n                                                              Table of Contents\n\nSection                                                     Description                                                                            Page\n\n   I. Independent Service Auditors\xe2\x80\x99 Report Provided by KPMG LLP .......................................... 1\n\n  II. Management Assertion and Description of Controls Provided by the Bureau of the\n      Public Debt ................................................................................................................................... 5\n\n        Management Assertion .................................................................................................................. 6\n\n        Overview of Operations ................................................................................................................. 8\n\n        Relevant Aspects of the Control Environment, Risk Assessment, and Monitoring...................... 16\n\n                 Control Environment ........................................................................................................... 16\n                 Risk Assessment.................................................................................................................. 16\n                 Monitoring........................................................................................................................... 16\n\n        Information and Communication .......................................................................................... 18\n\n                 Information Systems .......................................................................................................... 18\n                 Communication .................................................................................................................. 19\n\n        Control Objectives and Related Controls\n            The Bureau of the Public Debt\xe2\x80\x99s control objectives and related controls are\n            included in Section III of this report, \xe2\x80\x9cControl Objectives, Related Controls,\n            and Tests of Operating Effectiveness.\xe2\x80\x9d Although the control objectives and\n            related controls are included in Section III, they are, nevertheless, an integral\n            part of the Bureau of the Public Debt\xe2\x80\x99s description of controls.\n\n        Complementary Customer Agency Controls ................................................................................ 20\n\n        Sub-service Organizations ............................................................................................................ 22\n\n III. Control Objectives, Related Controls, and Tests of Operating Effectiveness ....................... 26\n\n        Accounting Processing Controls ................................................................................................... 27\n\x0c              Obligations .......................................................................................................................... 27\n              Disbursements ..................................................................................................................... 31\n              Unfilled Customer Orders, Receivables, and Cash Receipts .............................................. 36\n              Deposits ............................................................................................................................... 39\n              Payroll Accruals .................................................................................................................. 41\n              Payroll Disbursements......................................................................................................... 42\n              USSGL ................................................................................................................................ 44\n              Accruals............................................................................................................................... 48\n              Government-Wide Reporting .............................................................................................. 51\n              Administrative Spending ..................................................................................................... 54\n              Budget ................................................................................................................................. 56\n              Manual Journal Entries........................................................................................................ 59\n              Federal Investments ............................................................................................................ 60\n              Suppliers and Banks Record Changes ................................................................................. 61\n\n      Procurement Processing Controls ................................................................................................. 62\n\n              Acquisitions and Contracts.................................................................................................. 62\n              Sufficiently Funded Requisitions ........................................................................................ 63\n\n      General Computer Controls .......................................................................................................... 64\n\n              System Access .................................................................................................................... 64\n              System Changes .................................................................................................................. 73\n              Non-Interruptive System Service ........................................................................................ 76\n              Records Maintenance .......................................................................................................... 80\n\nIV.   Other Information Provided by Bureau of the Public Debt.................................................... 83\n\n      Contingency Planning ................................................................................................................... 84\n\x0cI.   INDEPENDENT SERVICE AUDITORS\xe2\x80\x99 REPORT\n             PROVIDED BY KPMG LLP\n\n\n\n\n                     1\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036-3389\n\n\n\n\n                             Independent Service Auditors\xe2\x80\x99 Report\n\n\nInspector General, U.S. Department of the Treasury\nDeputy Executive Director, Administrative Resource Center\n\nScope\nWe have examined the Bureau of Public Debt (BPD) Administrative Resource Center\xe2\x80\x99s (ARC\xe2\x80\x99s)\ndescription of its accounting and procurement processing, and general computer controls used for\nprocessing customer agencies\xe2\x80\x99 transactions throughout the period July 1, 2010 to June 30, 2011\n(description) and the suitability of the design and operating effectiveness of controls to achieve\nthe related control objectives stated in the description. The description indicates that certain\ncontrol objectives specified in the description can be achieved only if complementary customer\nagency controls and controls at the sub-service organizations contemplated in the design of\nBPD\xe2\x80\x99s controls are suitably designed and operating effectively, along with related controls at the\nservice organization. We have not evaluated the suitability of the design or the operating\neffectiveness of such complementary customer agency controls or controls at the sub-service\norganizations.\n\nBPD uses external service organizations (sub-service organizations). The description in Section II\nincludes only the control objectives and related controls of BPD and excludes the control\nobjectives and related controls of the sub-service organizations. Our examination did not extend\nto controls of sub-service organizations.\nService organization\xe2\x80\x99s responsibilities\nIn its description, BPD has provided an assertion about the fairness of the presentation of the\ndescription, the suitability of the design and the operating effectiveness of the controls to achieve\nthe related control objectives stated in the description (see pages 7-8). BPD is responsible for\npreparing the description and for the assertion, including the completeness, accuracy, and method\nof presentation of the description and the assertion, providing the services covered by the\ndescription, specifying the control objectives and stating them in the description, identifying the\nrisks that threaten the achievement of the control objectives, selecting and using suitable criteria,\nand designing, implementing, and documenting controls to achieve the related control objectives\nstated in the description.\n\nThe information in Section IV of management\xe2\x80\x99s description of the service organization\xe2\x80\x99s system,\n\xe2\x80\x9cOther Information Provided by Bureau of the Public Debt,\xe2\x80\x9d is presented by management of\nBPD to provide additional information and is not a part of BPD\xe2\x80\x99s description of its system made\navailable to Customer Agencies during the period July 1, 2010, to June 30, 2011. Information in\nSection IV has not been subjected to the procedures applied in the examination of the description\nof the system and of the suitability of the design and operating effectiveness of controls to\nachieve the related control objectives stated in the description of the system, and, accordingly, we\nexpress no opinion on it.\n\n\n\n                                                            2\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cService auditor\xe2\x80\x99s responsibilities\nOur responsibility is to express an opinion on the fairness of the presentation of the description,\nthe suitability of the design and the operating effectiveness of the controls to achieve the related\ncontrol objectives stated in the description, based on our examination. We conducted our\nexamination in accordance with attestation standards established by the American Institute of\nCertified Public Accountants and applicable Government Auditing Standards issued by the\nComptroller General of the United States.. Those standards require that we plan and perform our\nexamination to obtain reasonable assurance about whether, in all material respects, the description\nis fairly presented, the controls were suitably designed and the controls were operating effectively\nto achieve the related control objectives stated in the description throughout the period July 1,\n2010 to June 30, 2011.\n\nAn examination of a description of a service organization's system and the suitability of the\ndesign and operating effectiveness of the service organization's controls to achieve the related\ncontrol objectives stated in the description involves performing procedures to obtain evidence\nabout the fairness of the presentation of the description and the suitability of the design and the\noperating effectiveness of those controls to achieve the related control objectives stated in the\ndescription. Our procedures included assessing the risks that the description is not fairly presented\nand that the controls were not suitably designed or operating effectively to achieve the related\ncontrol objectives stated in the description. Our procedures also included testing the operating\neffectiveness of those controls that we consider necessary to provide reasonable assurance that\nthe related control objectives stated in the description were achieved. An examination\nengagement of this type also includes evaluating the overall presentation of the description and\nthe suitability of the control objectives stated therein, and the suitability of the criteria specified\nby the service organization and described in management\xe2\x80\x99s assertion in Section II of this report.\nWe believe that the evidence we obtained is sufficient and appropriate to provide a reasonable\nbasis for our opinion.\n\nInherent limitations\nBecause of their nature, controls at a service organization may not prevent, or detect and correct,\nall errors or omissions in processing or reporting transactions. Also, the projection to the future of\nany evaluation of the fairness of the presentation of the description, or conclusions about the\nsuitability of the design or operating effectiveness of the controls to achieve the related control\nobjectives is subject to the risk that controls at a service organization may become inadequate or\nfail.\n\nOpinion\nIn our opinion, in all material respects, based on the criteria described in BPD\xe2\x80\x99s assertion in\nSection II of this report, (1) the description fairly presents the accounting and procurement\nprocessing, and general computer controls that were designed and implemented throughout the\nperiod July 1, 2010 to June 30, 2011, (2) the controls related to the control objectives stated in the\ndescription were suitably designed to provide reasonable assurance that the control objectives\nwould be achieved if the controls operated effectively throughout the period July 1, 2010 to June\n30, 2011, and customer agencies applied the complementary customer agency controls and sub-\nservice organizations applied the controls contemplated in the design of BPD\xe2\x80\x99s controls\nthroughout the period July 1, 2010 to June 30, 2011, and (3) the controls tested, which together\nwith the complementary customer agency controls and sub-service organizations\xe2\x80\x99 controls\nreferred to in the scope paragraph of this report, if operating effectively, were those necessary to\nprovide reasonable assurance that the control objectives stated in the description in Section III\nwere achieved, operated effectively throughout the period July 1, 2010 to June 30, 2011.\n\n                                                  3\n\x0cDescription of tests of controls\nThe specific controls and the nature, timing, extent, and results of the tests are listed in\nSection III.\n\nRestricted use\nThis report, including the description of tests of controls and results thereof in Section III, is\nintended solely for the information and use of the management of BPD, customer agencies of\nBPD\xe2\x80\x99s financial management services during some or all of the period July 1, 2010 to June 30,\n2011, the U.S. Department of the Treasury Office of Inspector General, the Office of\nManagement and Budget, the Government Accountability Office, the U.S. Congress, and the\nindependent auditors of BPD\xe2\x80\x99s customer agencies, who have a sufficient understanding to\nconsider it, along with other information including information about controls implemented by\ncustomer agencies themselves, when assessing the risks of material misstatements of customer\nagencies\xe2\x80\x99 financial statements. This report is not intended to be and should not be used by anyone\nother than these specified parties.\n\n\n\n\nSeptember 2, 2011\nWashington DC\n\n\n\n\n                                                4\n\n\x0cII.   MANAGEMENT ASSERTION AND DESCRIPTION OF CONTROLS\n           PROVIDED BY THE BUREAU OF THE PUBIC DEBT\n\n\n\n\n                            5\n\x0c                               Department of the Treasury\n                               Bureau of the Public Debt\n                               Administrative Resource Center\n                               Parkersburg, WV 26106-1328\n\n\n                       Administrative Resource Center\xe2\x80\x99s Assertion\n                                               July 11, 2011\n\nWe have prepared the description of the Administrative Resource Center \xe2\x80\x99s (ARC) Administrative\nSystems (financial management services accounting processing and general computer controls) for user\nentities of the system during some of all of the period July 1, 2010 to June 30, 2011, and their user\nauditors who have a sufficient understanding to consider the description, along with other information,\nincluding information about controls operated by user entities of the system themselves, when obtaining\nan understanding of user entities\xe2\x80\x99 information and communication systems relevant to financial\nreporting. We confirm, to the best of our knowledge and belief, that:\na. The accompanying description in Sections II and III, fairly presents the ARC system made available\n   to user entities of the system during some or all of the July 1, 2010 to June 30, 2011 for processing\n   their transactions in the ARC financial management systems.\n\n    ARC uses a number of different sub-service organizations for certain transaction processing:\n\n    Sub-Service Organization                           Description of Services\n    Treasury                                           Used by customer agencies for FACTS I and\n                                                       FACTS II reporting and producing financial\n                                                       statements.\n    Third Party Payroll Service Providers              Processing of payroll transactions\n    Northrop Grumman Mission Systems                   Processing of travel related transactions\n    Dun & Bradstreet                                   Used for procurement transactions\n    Bureau of Public Debt                              Used to purchase and redeem Government Account\n                                                       Series securities\n    Oracle Corporation                                 Provides hosting services Oracle and PRISM\n\n    The description in Sections II and III includes only the controls and related control objectives of\n    ARC and excludes the control objectives and related controls of the services listed above from the\n    respective service organizations. The criteria we used in making this assertion were that the\n    accompanying description:\n   i.   Presents how the systems made available to user entities of the was designed and implemented to\n        process relevant transactions, including:\n        1. The types of services provided, including, as appropriate, the classes of transactions\n            processed;\n        2. The procedures, within both automated and manual systems, by which those transactions\n            were initiated, authorized, recorded, processed, corrected as necessary, and transferred to the\n            reports prepared for user entities;\n        3. The related accounting records, supporting information, and specific accounts that were used\n            to initiate, authorize, record, process, and report transactions; this includes the correction of\n            incorrect information and how information was transferred to the reports prepared for user\n            entities;\n        4. How the systems captured and addressed significant events and conditions, other than\n            transactions;\n        5. The process used to prepare reports or other information for user entities;\n\n\n\n                                                                      6              Management Assertion\n\x0c              6. Specified control objectives and controls designed to achieve those objectives;\n              7. Controls that we assumed, in the design of the system, would be implemented by user\n                 entities, and which, if necessary to achieve control objectives stated in the accompanying\n                 description, are identified in the description along with the specific control objectives that\n                 cannot be achieved solely by controls implemented by us; and\n              8. Other aspects of our control environment, risk assessment process, information and\n                 communication systems (including the related business processes), control activities, and\n                 monitoring controls that are relevant to processing and reporting transactions of user entities\n                 transactions.\n\n ii.          Does not omit or distort information relevant to the scope of the Administrative Systems being\n              described, while acknowledging that the description was prepared to meet the common needs of a\n              broad range of user entities and their independent auditors and may not, therefore, include every\n              aspect of the Administrative Systems that each individual user entity may consider important in\n              its own particular environment.\n\nb. The description includes relevant details of changes to ARC\xe2\x80\x99s systems during the period covered by\n   the descriptions.\n\nc. The controls related to the control objectives stated in the description were suitably designed and\n   operated effectively throughout the period July 1, 2010 to June 30, 2011 to achieve those control\n   objectives. The criteria we used in making this assertion were that\n\n         i.      The risks that threatened achievement of the control objectives stated in the description were\n                 identified;\n        ii.      The identified controls would, if operated as described, provide reasonable assurance that those\n                 risks did not prevent the stated control objectives from being achieved;\n       iii.      The controls were consistently applied as designed, including whether manual controls were\n                 applied by individuals who have the appropriate competence and authority; and\n       iv.       Sub-service organizations applied the controls contemplated in the design of ARC\xe2\x80\x99s controls.\n\n                                                        Sincerely,\n\n\n\n\n                                                        Cynthia Z. Springer, Executive Director\n                                                        Administrative Resource Center\n\n\n\n\n                                                                            7              Management Assertion\n\x0cOVERVIEW OF OPERATIONS\n\nThe Bureau of the Public Debt\xe2\x80\x99s (BPD\xe2\x80\x99s) Administrative Resource Center (ARC) has been a\nmember of the Treasury Franchise Fund (TFF) since August 1998. The TFF was established by\nP.L. 104-208 and was made permanent by P.L. 108-447. ARC provides administrative support\nservices on a competitive, fee-for-service, and full-cost basis. ARC\xe2\x80\x99s mission is to aid in\nimproving overall government effectiveness by delivering responsive and cost effective\nadministrative support to its Customer Agencies; thereby, improving their ability to effectively\ndischarge their mission.\n\nAs of June 30, 2011, ARC provided financial management services to approximately 50\nCustomer Agencies. Financial management services include accounting, budgeting, reporting,\ntravel, procurement and systems support and platform services. The ARC divisions, branches and\nthe financial management services that they provide are:\n\nAccounting Services Division (ASD)                 Services Provided\nAccounting Services Branch 1 (ASB1)                Document Processing\n                                                   Reporting Services\n\nAccounting Services Branch 2 (ASB2)                Document Processing\n                                                   Reporting Services\n\nAccounting Services Branch 3 (ASB3)                Document Processing\n                                                   Reporting Services\n                                                   Budget Services\n\nAccounting Services Branch 4 Branch (ASB4)         Document Processing\n                                                   Reporting Services\n\nAccounting Services Branch 5 Branch (ASB5)         Document Processing\n                                                   Reporting Services\n\nCentral Accounting Branch (CAB)                    Supplier Table Update and Maintenance\n                                                   Record and Reconcile Payroll\n                                                   1099 Reporting\n                                                   Purchase Card Processing\n\nProgram Support Branch (PSB)                       Deposit Services\n                                                   SPS Operations\n\nAccounts Payable Branch (APB)                      Document Processing\n\n\n\nTravel Services Division (TSD)                     Services Provided\nTemporary Duty Services Branch (TDSB)              Temporary Duty Travel Services\n                                                   Operate/Maintain GovTrip\n                                                   Provide GovTrip Training Services\n                                                   Document Processing\n\n\n\n                                               8                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cTravel Services Division (TSD)                     Services Provided\nRelocation Services Branch (RSB)                   Relocation Services\n                                                   Operate/Maintain moveLINQ\n                                                   Record and process relocations\n                                                   Tax Reporting\n\n\nBusiness Technology Division (BTD)                 Services Provided\nCustomer Service Branch (CSB)                      Provide Financial Management System\n                                                   Support/Training\n\nQuality Control Branch (QCB)                       Operate/Maintain Financial Management\n                                                   Systems\n\nProject and Technical Services Branch (PTSB)       Application Development/Analysis/Project\n                                                   Management\n\n\nHuman Resources Operations Division                Services Provided\n(HROD)\nPay and Leave Services Branch (PLSB)               Administer webTA System User Access\n\n\nDivision of Procurement Services (DPS)             Services Provided\nProcurement Services Branch 1 (PSB1)               Acquisition Services\n\nProcurement Services Branch 2 (PSB2)               Acquisition Services\n\nProcurement Services Branch 3 (PSB3)               Acquisition Services\n\n\n\n\n                                               9                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0c                                  ARC Organizational Chart\n\n                                       Office of Executive Director\n                                       Deputy Executive Director\n\n\n\n\n     Accounting Services        Business            Division of       Human Resource                  Travel\n          Division             Technology          Procurement          Operations                   Services\n                                Division             Services            Division                    Division\nAccounting        Accounting\n Services          Services    Customer           Procurement          Pay and Leave               Relocation\n Branch 5          Branch 3     Service         Services Branch 1     Services Branch               Services\n                                Branch                                                              Branch\nAccounting         Program                        Procurement\n Services          Support                      Services Branch 2\n                                Quality                                                            Temporary\n Branch 1           Branch      Control                                                           Duty Services\n                                Branch            Procurement                                       Branch\nAccounting        Accounting                    Services Branch 3\n Services          Services    Project and\n Branch 2          Branch 4     Technical\n                                Services\n                                 Branch\n Central           Accounts\nAccounting         Payable\n Branch             Branch\n\n\n\n\n                                              10                           Description of Controls Provided\n                                                                           by the Bureau of the Public Debt\n\x0cAccounting Services\nAccounting Services consists of the following:\n   \xe2\x80\xa2 Recording financial transactions in an automated accounting system, including\n       appropriation, apportionment, allocations, revenue agreements, accounts receivable,\n       collections, commitments, obligations, accruals, accounts payable, disbursements, and\n       journal entries.\n   \xe2\x80\xa2 Examining and processing vendor and other employee payments.\n   \xe2\x80\xa2 Examining and processing revenue and other collections.\n\nTo maximize efficiencies and enhance Customer satisfaction, ARC has developed financial\nmanagement service guidelines for Customer Agencies. The guidelines are available to\ncustomers via ARC\xe2\x80\x99s customer websites. The guidelines provide accounting service overviews,\nlinks to regulations and data submission requirements for the various types of services and\naccounting transactions that ARC processes.\n\nPrior to providing accounting services to Customer Agencies, ARC meets with them to learn and\nunderstand the authorizing legislation and mission. This enables ARC to assist them in defining\ntheir accounting needs and to ensure that the accounting services provided comply with\napplicable regulations and are able to meet their internal and external reporting needs.\n\nARC\xe2\x80\x99s automated accounting systems provide for budgeting and funds control at various\norganizational and spending levels. The levels used are established based on the Customer\nAgency\xe2\x80\x99s authorizing legislation, apportionment level, or their request to control at a lower level\nthan required by law.\n\nARC offers commitment accounting to Customer Agencies to better enable them to monitor and\ncontrol their funds availability. When applicable, ARC sets aside funds that are available for\nobligation based on an approved purchase requisition (PR). In the event that the actual order\namount is greater than the approved purchase request amount, a modification to the PR is\nrequired unless overage tolerances have been pre-approved by the customer agency.\n\nARC records obligations based on fully executed purchase orders, contracts, training orders or\ninteragency agreements. Recording the obligations in the accounting system sets aside funds to\nensure that funds are available to pay for the goods or services when provided and billed by\nsuppliers. All obligations must be approved for funds availability prior to issuance. This is\ngenerally done through processing a PR, but is the responsibility of the Customer Agency if they\nelect not to have commitment accounting services. In the event that the invoice amount is greater\nthan the obligated amount, a modification is required unless overage tolerances have been pre-\napproved by the Customer Agency.\n\nCustomer Agencies are required to notify ARC when goods/services have been received but not\ninvoiced by the supplier at the end of a reporting period. Based on the information received,\nARC records expense accruals in the accounting system. The notification process is established\nat the Customer Agency level and can include submitting receiving reports or schedules that\ndetail the items to be accrued.\n\nARC processes and/or records all Customer Agency disbursements. These include supplier\ninvoices, purchase card payments, Intra-governmental Payment And Collection (IPAC)\ntransactions, employee travel reimbursements, and employee payroll.\n\n\n\n                                              11                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cThe preferred approach for payment of qualifying supplier goods/services is the government\xe2\x80\x99s\npurchase card program. Customer Agencies are encouraged to obtain and use a government\npurchase card to the greatest extent possible and they are encouraged to participate in ARC's\npurchase card program and use Citibank's CitiDirect system. CitiDirect allows Customer Agency\ncardholders and approving officials to electronically reconcile, route, approve, and submit the\npurchase card statement to ARC for payment.\n\nGenerally, ARC Customer Agencies use two methods of receiving and monitoring the status of\nsupplier invoices. The preferred method requires that supplier invoices be sent directly to ARC.\nWhen using this method, ARC has controls that ensure that all invoices are logged with the date\nreceived, are forwarded to the Customer Agency staff designated on the obligating document for\nreview and approval, and are monitored to ensure that invoices are returned to ARC for\nprocessing in accordance with the Prompt Payment Act. The alternative method (under unique\ncircumstances) requires that supplier invoices be sent directly to the Customer Agency. When\nusing this method, the Customer Agency is required to establish controls to ensure that all\ninvoices are stamped with the date received, reviewed, certified by the staff member designated\non the obligation document, and submitted to ARC for processing in accordance with the Prompt\nPayment Act.\n\nAll invoices are examined by ARC or Customer Agency staff to ensure that they are proper, as\ndefined by the Prompt Payment Act. In addition, invoices are matched to the obligating\ndocuments and receiving reports (when applicable) and are certified by invoice approvers. If\nreceiving reports are not submitted, the invoice approver certifies that the invoice is in accordance\nwith the terms of the order, and provides the dates the goods/services were received and accepted.\n\nAfter the invoice approver certifies the invoice, it is submitted to ARC to process the payment to\nthe supplier. The Customer Agency is responsible for ensuring that invoices are submitted in\ntime to receive discounts, if applicable, and to pay the invoice prior to the Prompt Payment Act\ndue date. Upon receipt, ARC reviews the invoice for proper certification, accuracy and\ncompleteness and either schedules the payment in accordance with the terms of the order, the\nPrompt Pay Act and Electronic Funds Transfer (EFT) Rules or returns the invoice to the customer\nfor clarification or additional information.\n\nARC transmits EFT and check payment files to the U.S. Department of the Treasury using\nTreasury\xe2\x80\x99s Secure Payment System (SPS). In addition, ARC processes most intragovernmental\npayments using Treasury\xe2\x80\x99s IPAC system. ARC obtains Customer Agency approval prior to\ninitiating an IPAC payment to another federal agency. ARC also monitors IPAC activity initiated\nagainst the Customer Agency by another federal agency and forwards all IPAC payments to the\nappropriate certifying official for approval. ARC records all IPAC payments in the accounting\nperiod the IPAC was accomplished.\n\nThird-party payroll processors provide ARC with a file of payroll data at least bi-weekly (weekly\nif payroll adjustment files are applicable) to interface into the accounting system. ARC\nreconciles all payroll transactions recorded to disbursements reported by the third-party\nprocessor. ARC records payroll accruals on a monthly basis and reverses the accrual in the\nsubsequent accounting period. The payroll accrual is a prorated calculation performed by the\naccounting system that is based on the most recent payroll disbursement data available.\n\nARC processes revenue and collection related transactions (i.e., unfilled customer orders,\nreceivables, and cash receipts) with Customer Agency approval. Customer Agencies either\nforward to ARC approved source documents or a summary of their transactions. ARC records\n\n                                               12                 Description of Controls Provided\n                                                                  by the Bureau of the Public Debt\n\x0cIPAC transactions in the period in which they are processed in FMS\xe2\x80\x99s IPAC System. Check\ndeposits are made by ARC or the Customer Agency. When checks are deposited by customers,\nthe Standard Form (SF) 215 deposit ticket is forwarded to ARC. In addition, all deposits require\nthe Customer Agencies to provide the accounting information necessary to record the cash\nreceipt.\n\nARC records proprietary and budgetary accounting entries using the United States Standard\nGeneral Ledger (USSGL) and Treasury approved budget object codes at the transaction level. In\naddition, ARC reconciles general ledger accounts to ensure transactions are posted to the\nappropriate accounts. ARC prepares budgetary to proprietary account relationship reconciliations\non a monthly basis to ensure transactions are recorded and corrects any invalid out-of-balance\nrelationships.\n\nARC utilizes CA Records Manager, a software application managed by BPD\xe2\x80\x99s Office of\nManagement Services\xe2\x80\x99 (OMS), Information Management Branch (IMB), to store hardcopy and\nelectronic data records. ARC generates labels, which are printed and placed on boxes that are to\nbe stored in BPD's warehouse. The information recorded on the label is entered into CA Records\nManager so that the boxes can subsequently be requested by ARC personnel, as they are needed.\nOnce the data is recorded in CA Records Manager, BPD warehouse personnel either pick up the\nbox to be placed in storage or return the box to ARC, as applicable.\n\nARC works with Customer Agencies to develop and implement processes to ensure the accuracy\nof their accounting information. This includes reviewing open commitment, obligation, expense\naccrual, customer agreement, and open billing document reports for completeness, accuracy, and\nvalidity. This review is conducted by Customer Agencies or ARC staff no less frequently than\nquarterly. Based on the review, a determination is made on the action(s) needed to adjust or\nremove any invalid items in ARC\xe2\x80\x99s accounting records.\n\nBudget Services\nARC enters the Customer Agency\xe2\x80\x99s budget authority in the accounting system based on the\nsupporting documentation, which may include enacted legislation, anticipated resources, Treasury\nwarrants or transfer documents, an Apportionment and Reapportionment Schedule (SF 132), the\nCustomer Agency\xe2\x80\x99s budget plan or recorded reimbursable activity. The budget process makes\nfunds available for commitment, obligation, and/or expenditure, and with controls in place, the\nautomated accounting system checks for sufficient funds in the Customer Agency\xe2\x80\x99s budget at the\nspecified control levels.\n\nReporting Services\nARC performs all required external reporting for Customer Agencies, including the following\nreports: FMS 224, FACTS I, FACTS II, Report on Receivables, Treasury Information Executive\nRepository (TIER), and quarterly and year-end financial statements. In addition, ARC has\ncreated a standard suite of management reports that are available to all Customer Agencies. ARC\nalso reconciles certain general ledger accounts and ensures that proprietary and budgetary general\nledger account relationships are maintained.\n\nTravel Services Temporary Duty\nTravel Services consist of the following:\n    \xe2\x80\xa2 Operating and maintaining the E-Gov Travel system (GovTrip) in compliance with the\n        Federal Travel Regulations (FTR) for all ARC Customer Agencies\n   \xe2\x80\xa2 Researching and implementing the FTR and Agency/Bureau travel policies\n   \xe2\x80\xa2 System Administration\n\n                                              13                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0c    \xe2\x80\xa2   Providing customer service and training to system users\n    \xe2\x80\xa2   Evaluating, recommending, and implementing approved changes to existing systems\n        and/or new systems, including working with the E-Gov Travel vendor and the General\n        Services Administration (GSA) on system enhancements and deficiencies\n    \xe2\x80\xa2   Processing employee reimbursements via interface to Oracle Federal Financials (Oracle)\n\nTravel documents (authorizations and vouchers) and miscellaneous employee reimbursements are\nentered by Customer Agencies into GovTrip and are electronically routed to an Approving\nOfficial for review and approval. The Approving Official electronically signs the documents with\na status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced and reconciled to Oracle daily.\nGovTrip contains system audits that prohibit documents that do not meet certain Federal Travel\nRegulations or do not contain required accounting information from interfacing to Oracle.\n\nAccess to GovTrip is restricted to users with a valid logon ID and password. All GovTrip users\nmust complete the self-registration process. An account token will be forwarded to the user by\nthe TSD helpdesk after the self-registration information is verified for the user to activate their\naccount. Budget Reviewers and Approving Officials must complete, sign, and submit an\napproved Form PD5409E \xe2\x80\x93 Administrative Resource Center (ARC) Online Applications Access\nRequest or have their approving official or agency travel contact submit an e-mail request to\nTravel Services. Changes to a user\xe2\x80\x99s identification (i.e., name change) require a resubmitted\nForm PD5409E or an e-mail from the user copying his/her approving official or agency travel\ncontact. Changes to a user\xe2\x80\x99s role require a resubmitted PD5409E or e-mail approval from the\ntraveler\xe2\x80\x99s approving official or agency travel contact.\n\nRelocation Services\nRelocation Services consist of the following:\n   \xe2\x80\xa2 Operating and maintaining moveLINQ, a government relocation expense management\n        system in compliance with the Federal Travel Regulations (FTR), Joint Travel\n        Regulations (JTR) and Joint Federal Travel Regulations (JFTR) to record and process\n        permanent change of station moves for Customer Agencies\n   \xe2\x80\xa2 Researching and implementing relocation regulations and Agency/Bureau relocation\n        travel policies\n   \xe2\x80\xa2 System Administration\n   \xe2\x80\xa2 Providing customer service\n   \xe2\x80\xa2 Providing system support and training to internal users\n   \xe2\x80\xa2 Evaluating, recommending, and implementing approved changes to the existing system,\n        including working with the moveLINQ vendor, mLINQS, on system enhancements and\n        deficiencies\n   \xe2\x80\xa2 Processing relocations through the moveLINQ system\n   \xe2\x80\xa2 Processing obligations and disbursements via interface to Oracle Federal Financials\n        (Oracle)\n\nRelocation travel documents (authorizations, amendments, advances, and vouchers) are entered\nby ARC into moveLINQ. Prior to being submitted in moveLINQ, the vouchers are reviewed for\naccuracy by a second ARC employee. Completed documents are faxed or digitally scanned and\ne-mailed to the traveler and/or approving official for review and approval, as appropriate. For\ncustomers that we process payments, approved documents are interfaced and reconciled to Oracle\ndaily.\n\n\n\n\n                                              14                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cAccess to moveLINQ is restricted to ARC users with a valid logon and password. The process\nfor requesting, establishing, issuing, and closing user accounts is controlled through the use of the\nmoveLINQ Online Application Access Request Form which requires supervisor approval.\nChanges to a user\xe2\x80\x99s identification (i.e. name change) require a resubmitted moveLINQ Online\nApplication Access Request Form or e-mail from the user copying his/her supervisor or manager.\nChanges to a user\xe2\x80\x99s role require a resubmitted Application Access Request Form or e-mail\napproval from the user\xe2\x80\x99s supervisor or manager.\n\nProcurement Services\nProcurement Services consist of the following:\n    \xe2\x80\xa2 Awarding contracts and purchase orders in accordance with Federal Acquisition\n       Regulations and Treasury Acquisition Regulations\n    \xe2\x80\xa2 Contract administration\n\nRequests for procurement actions are initiated by customers through requisitions. The\nrequisitions contain a performance work statement or requirements document, estimated dollar\namount for the goods or service, validation that funds are available and approval from an\nauthorized official. Requisitions may be sent electronically through PRISM or manually.\n\nUpon receipt of a completed requisition, ARC procurement personnel will develop an acquisition\nstrategy based upon the item or service being purchased and the expected dollar amount of the\npurchase. Using information from the requisition, ARC personnel will develop and publicize the\nsolicitation requesting proposals. ARC personnel will conduct the evaluation of the proposals\nwith technical team of experts from our Customer Agencies. With input from the technical team,\nan ARC contracting officer will select the vendor that best meets the customer\xe2\x80\x99s requirements.\n\nFollowing award of the contract, ARC personnel will provide contract administration services.\nThis includes executing approved and authorized contract modification, resolving issues that arise\nduring the life of the contract, monitoring delivery schedules and closing out the contract at\ncompletion.\n\nSystem Platform Services\nARC maintains system support staff that provide customer services and training activities.\nCustomer support is provided via phone or e-mail. ARC maintains a training course curriculum\nthat is generally provided in a hands-on classroom environment.\n\nARC performs all system access activities in accordance with established procedures for granting,\nchanging, and removing user access. Included in these procedures are independent reviews of\nsystem access activity and user inactivity.\n\nARC performs all system change activities in accordance with established procedures for\nevaluating, authorizing, and implementing. To this end, ARC maintains responsibility for System\nIntegration Testing, providing customers an opportunity to perform User Acceptance Testing, and\napproving production changes.\n\n\n\n\n                                               15                 Description of Controls Provided\n                                                                  by the Bureau of the Public Debt\n\x0cRELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK\nASSESSMENT, AND MONITORING\n\nControl Environment\n\nARC Financial Management Service operations are under the direction of the Office of the\nExecutive Director of ARC. ARC\xe2\x80\x99s mission is to aid in improving overall government\neffectiveness by delivering responsive and cost effective administrative support to its Customer\nAgencies; thereby, improving their ability to effectively discharge their mission.\n\nARC employees are responsible for processing and reporting accounting activity, providing\nsystem support and development services, procurement, and travel services for its Customer\nAgencies. ARC holds management meetings on a regular basis to discuss special processing\nrequests, operational performance, and the development and maintenance of projects in process.\nWritten position descriptions for employees are maintained. The descriptions are inspected and\nrevised as necessary.\n\nReferences are sought and background, credit, and security checks are conducted for all BPD\npersonnel when they are hired. Additional background, credit, and security checks are performed\nevery three to five years. The confidentiality of user-organization information is stressed during\nthe new employee orientation program and is emphasized in the personnel manual issued to each\nemployee. BPD provides a mandatory orientation program to all full time employees and\nencourages employees to attend other formal outside training. Training available to BPD\nemployees with related work responsibilities includes, but is not limited to: Prompt Pay and\nVoucher Examination, Appropriation Law, Federal Acquisition Regulations, Federal Travel\nRegulations, Reconciling with and Reporting to Treasury, Dollars & Sense, Federal Accounting\nFundamentals, USSGL Practical Applications, Budgeting and Accounting \xe2\x80\x93 Making the\nConnection and Computer Security Training Awareness.\n\nAll BPD employees receive an annual written performance evaluation and salary review. These\nreviews are based on goals and objectives that are established and reviewed during meetings\nbetween the employee and the employee\xe2\x80\x99s supervisor. Completed appraisals are reviewed by\nsenior management and become a permanent part of the employee\xe2\x80\x99s personnel file.\n\nRisk Assessment\n\nBPD has placed into operation a risk assessment process to identify and manage risks that could\naffect ARC\xe2\x80\x99s ability to provide reliable accounting and reporting, system platform and travel\nservices for Customer Agencies. This process requires management to identify significant risks\nin their areas of responsibility and to implement appropriate measures and controls to manage\nthese risks.\n\nMonitoring\n\nBPD management and supervisory personnel monitor the quality of internal control performance\nas a normal part of their activities. Management and supervisory personnel inquire of staff and/or\nreview data to ensure that transactions are processed within an effective internal control\nenvironment. An example of a key monitoring control is that ASD Reporting Branch Managers\nand/or Supervisors review reconciliations from Oracle sub ledgers to the related general ledger\naccounts. ASD prepares budgetary to proprietary account relationship reconciliations on a\n\n\n                                              16                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cmonthly basis. In addition, ASD prepares and reconciles the FACTS II submitted reports to the\ntrial balance and statement of budgetary resources on a quarterly basis. ARC also uses the results\nof the annual Statements on Standards for Attestation Engagements (SSAE 16) examination as a\ntool for identifying opportunities to strengthen controls.\n\n\n\n\n                                              17                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cINFORMATION AND COMMUNICATION\n\nInformation Systems\n\nOracle Federal Financials (Oracle)\nOracle on Demand operates Oracle version 11i, Oracle 10g database in a Linux operating system\nenvironment. Oracle uses a two-tier web-based infrastructure with a front-end Internet user\ninterface and a database residing on the secure network. The application accesses the database IP\nto IP on a specified port that was defined in the Access Control List. Internet access is via a 128-\nbit Secure Sockets Layer (SSL) encrypted connection. The application is compliant with Section\n508 of the Rehabilitation Act Amendment for 1998 for Americans with Disabilities (ADA).\nFunctions of Oracle include budget execution, general ledger, purchasing, accounts payable,\naccounts receivable, fixed assets, and manufacturing. ARC also uses a report writer package\ncalled Discoverer that provides users with the ability to create their own ad hoc reports for query\npurposes.\n\nProcurement Request Information System Management (PRISM)\nOracle on Demand operates PRISM version 6.5, on Windows operating system and Oracle 10g\ndatabase in a Linux operating system environment. PRISM uses a two-tier web-based\ninfrastructure with a front-end Internet user interface using Windows as its operating system and\na database residing on the secure Oracle on Demand network. The application accesses the\ndatabase on a specified port that is defined in the Access Control List. Only select Internet\nProtocol (IP) addresses that are defined in the Access Control List are permitted to connect to the\ndatabase IP. Internet access is via a 128-bit SSL encrypted connection. Transactions entered\nthrough PRISM interface real-time with Oracle.\n\n\nwebTA\nARC uses Kronos\xe2\x80\x99 webTA as its time and attendance system for most of its Customer Agencies\nwhose payroll is processed by the NFC. Transactions that are entered in webTA interface with\nNFC, and NFC ultimately sends payroll data back to ARC for an interface into Oracle.\n\nARC operates webTA version 3 on Windows 2003. webTA uses the Oracle 11g database, which\nruns on the ARC subnet and accesses data in the ARC DMZ using Linux AS 2.1 as its operating\nsystem. Office of Information Technology (OIT) serves as the webTA database administrator\nand provides primary support for tape backup and recovery. webTA uses a two-tier web-based\ninfrastructure with a front-end Internet user interface and a database residing on the secure\nnetwork. The application (web-applet) accesses the database on a specified port that is defined in\nthe Access Control List. Only select IP addresses that are defined in the Access Control List are\npermitted to connect to the database IP. External Internet access is via 128-bit encrypted\nconnection. External security is provided by OIT through firewall rules and router access control\nlists.\n\nGovTrip\nARC uses Northrop Grumman Mission System\xe2\x80\x99s (NGMS\xe2\x80\x99s) GovTrip travel system (system\nselected by the U.S. Department of the Treasury as its E-Gov Travel solution). NGMS developed\nand hosts GovTrip. GovTrip is a web-based, self-service travel system that incorporates\ntraditional reservation and fulfillment support and a fully-automated booking process. GovTrip\nuses system processes and audits to ensure compliance to the FTR and/or Agency policy.\nGovTrip is used to prepare, examine, route, approve, and record travel authorizations and\nvouchers. It is used to process all temporary duty location (TDY) authorizations, vouchers, local\n\n                                               18                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cvouchers and miscellaneous employee reimbursements. Approved documents interface to Oracle\nfor obligation or payment during a daily batch process. GovTrip users consist of travelers,\ndocument preparers, budget reviewers, approving officials and administrators.\n\nmoveLINQ\nARC uses mLINQS relocation expense management system, moveLINQ, to meet their relocation\nmanagement program, payment system and reporting requirements. moveLINQ is an E-Gov\nTravel Services and Federal Travel Regulations, Chapter 302 compliant web-based system that\nautomates relocation expense management processes, policy and entitlement for both domestic\nmoves and international relocations. The application is used for household goods shipment and\nstorage arrangements, employee travel arrangements, third party real estate payments and\nrelocation tax administration, including W-2 preparation. Approved documents interface to\nOracle for obligation or payment during a daily scheduled batch process.     moveLINQ users\nconsist of authorized TSD personnel. OIT hosts the moveLINQ system and serves as the\nMicrosoft SQL database administrator and provides primary support for tape backup and\nrecovery.\n\nPRISM, GovTrip, moveLINQ, and E-Payroll to Oracle Reporting (EOR) are feeder systems that\ninterface with Oracle. Oracle on Demand hosts PRISM and EOR, Northrop Grumman hosts\nGovTrip, and ARC hosts moveLINQ. ARC performs application administration for all feeder\nsystems.\n\nCommunication\n\nBPD has implemented various methods of communication to ensure that all employees\nunderstand their individual roles and responsibilities over processing transactions and controls.\nThese methods include orientation and training programs for newly hired employees, and use of\nelectronic mail messages to communicate time sensitive messages and information. Managers\nalso hold periodic staff meetings as appropriate. Every employee has a written position\ndescription that includes the responsibility to communicate significant issues and exceptions to an\nappropriate higher level within the organization in a timely manner. Managers also make an\neffort to address continuing education needs of all employees by identifying training\nopportunities made available through BPD's employee training and career development programs,\ninternal training classes, and professional conferences.\n\n\n\n\n                                              19                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cCOMPLEMENTARY CUSTOMER AGENCY CONTROLS\n\nThe BPD\xe2\x80\x99s processing of transactions and the controls over the processing were designed with the\nassumption that certain controls would be placed in operation by Customer Agencies for the\ncontrol objectives to be achieved. This section describes some of the controls that should be in\noperation at Customer Agencies to complement the controls at BPD. Customer Agency auditors\nshould determine whether user Customer Agencies have established controls to provide\nreasonable assurance to:\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Send valid requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Restrict Customer Agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\xe2\x80\xa2   Approve and return relocation travel authorizations to Relocation Services Branch (RSB) for\n    processing in moveLINQ in a timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Compare actual spending results to budgeted amounts.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that disbursement transactions are\n    complete and accurate.\n\xe2\x80\xa2   Provide certification of FACTS II to ARC prior to ARC\xe2\x80\x99s FACTS II system certification.\n\xe2\x80\xa2   Approve invoices for payment and send approved invoices to ARC in a timely manner.\n\xe2\x80\xa2   Ensure that invoices properly reflect the invoice receipt date and formal or constructive\n    acceptance date according to the Prompt Payment Act.\n\xe2\x80\xa2   Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to approve invoices and\n    travel vouchers when it is not communicated in the authorizing agreement.\n\xe2\x80\xa2   Send approved and accurate documentation of unfilled customer orders, receivables, and cash\n    receipts transactions to ARC in the proper period.\n\xe2\x80\xa2   Review unfilled customer orders, receivable and advance reports for completeness, accuracy,\n    and validity.\n\xe2\x80\xa2   Monitor and pursue collection of delinquent balances.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll accruals are complete\n    and accurate.\n\xe2\x80\xa2   Verify that payroll processed by third-party providers is complete and accurate.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll disbursements are\n    complete and accurate.\n\n\n                                              20                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0c\xe2\x80\xa2   Review open accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Approve and send revenue and expense accruals to ARC in a timely manner.\n\xe2\x80\xa2   Review and approve, prior to submission, the financial reports prepared by ARC to ensure\n    that all reports prepared for external use are complete, accurate, and submitted in a timely\n    manner.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that budget entries are complete and\n    accurate.\n\xe2\x80\xa2   Send approved budget plans to ARC in a timely manner.\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Ensure exiting employee timecards are coded \xe2\x80\x9cFinal\xe2\x80\x9d as this will help ensure that HR staff\n    deactivate the employee\xe2\x80\x99s webTA access.\n\xe2\x80\xa2   Send valid and approved requests to record manual journal entries to ARC in a timely\n    manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to submit manual journal\n    entries that are initiated by the Customer Agency.\n\xe2\x80\xa2   Communicate OMB apportionment status to ARC.\n\xe2\x80\xa2   Monitor usage of budget authority during periods of operation under a Continuing Resolution\n    to ensure that OMB directed apportionment limits are not exceeded.\n\xe2\x80\xa2   Ensure that approving officials are granted appropriate dollar threshold approval rights and\n    develop a mechanism to review the set-up of the dollar thresholds on a regular basis.\n\xe2\x80\xa2   Restrict Customer Agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\nSpecific complementary Customer Agency Controls are provided for Control Objectives 1, 2, 3,\n5, 6, 7, 8, 9, 10, 11, 12, 16 and 17, in the Control Objectives, Related Controls, and Tests of\nOperating Effectiveness section of this report.\n\n\n\n\n                                             21                Description of Controls Provided\n                                                               by the Bureau of the Public Debt\n\x0cSUB-SERVICE ORGANIZATIONS\n\nIn order to provide financial management services, ARC relies on systems and services provided\nby other organizations external to BPD (sub-service organizations). The achievement of control\nobjectives depends on whether controls at the sub-service organizations anticipated in the design\nof BPD\xe2\x80\x99s controls were implemented and operating effectively. These sub-service organizations\nare not subject to examination by KPMG LLP. The following table describes the types of the sub-\nservice organizations used by ARC not subject examination by KPMG LLP.\n\n\n    Name of Sub-service            Name of System               Function/Responsibilities\n      Organization\n\n\n\n Treasury Financial            Government Wide            Treasury\xe2\x80\x99s FMS provides reports to\n Management Service            Accounting (GWA)           inform agencies of their Fund Balance\n (FMS)                         Account Statement          With Treasury and to assist agencies\n                                                          in reconciling their general ledger\n                                                          balances to FMS balances. ARC uses\n                                                          these      reports     to     perform\n                                                          reconciliations.\n\n                               Secure Payment System      ARC uses SPS to process payments\n                               (SPS)                      for invoices.\n\n                               CA$HLINK II, GWA           Each month, Treasury\xe2\x80\x99s FMS issues\n                               TDO Payments,              the FMS 6652, Statement of\n                               Intragovernmental          Differences, to agency location codes\n                               Payment and Collection     (ALC) when differences are identified\n                               transactions (IPACs)       between the cash activity reported by\n                                                          the agency on the FMS 224, Statement\n                                                          of Transactions, and data reported to\n                                                          Treasury\xe2\x80\x99s CA$HLINK II, GWA\n                                                          TDO Payments, and IPAC systems.\n                                                          ARC accountants minimize month-\n                                                          end disbursement differences by\n                                                          comparing preliminary FMS 224 data\n                                                          to data obtained from Treasury\xe2\x80\x99s\n                                                          CA$HLINK II, GWA TDO Payments,\n                                                          and IPAC systems.\n\n\n\n\n                                             22                Description of Controls Provided\n                                                               by the Bureau of the Public Debt\n\x0cName of Sub-service      Name of System         Function/Responsibilities\n  Organization\n\n\n\n                      FACTS I             Treasury\xe2\x80\x99s FMS maintains the FACTS\n                                          I system. The FACTS I system has\n                                          edit checks to verify that the submitted\n                                          USSGL accounts and attributes are\n                                          valid and have equal debit and credit\n                                          balances.\n\n\n\n                      FACTS II            Treasury\xe2\x80\x99s FMS maintains the FACTS\n                                          II system. The FACTS II system\n                                          performs USSGL edit checks and\n                                          rejects any files that fail the edit\n                                          checks.\n\n                                          Treasury General Account Deposit\n                                          Reporting Network (TGAnet) enables\n                      TGAnet\n                                          Federal Program Agency (FPA) users\n                                          to report over-the-counter (OTC)\n                                          receipts in a secure, web-based\n                                          system. In addition to the summary\n                                          deposit information currently required\n                                          on the paper SF 215, TGAnet collects\n                                          sub-total accounting information that\n                                          can feed the FPA's administrative\n                                          accounting systems as well as the\n                                          Treasury's central accounting system\n\n\n\n\n                                 23            Description of Controls Provided\n                                               by the Bureau of the Public Debt\n\x0c  Name of Sub-service      Name of System              Function/Responsibilities\n    Organization\n\n\n\nTreasury                Treasury Information     For ARC\xe2\x80\x99s Treasury and the\n                        Executive Repository     Department of Homeland Security\n                        (TIER)                   Customer Agencies, FACTS I and II\n                                                 reporting requirements are met using\n                                                 TIER. TIER is Treasury\xe2\x80\x99s\n                                                 departmental data warehouse that\n                                                 receives monthly uploaded financial\n                                                 accounting and budgetary data from\n                                                 the Treasury and the Department of\n                                                 Homeland Security bureaus and other\n                                                 reporting entities within the\n                                                 Department of the Treasury and the\n                                                 Department of Homeland Security in a\n                                                 standardized format. Data submitted to\n                                                 TIER by an ARC accountant is\n                                                 validated based on system-defined\n                                                 validation checks.\n\n                                                 ARC has customized programs in\n                                                 Oracle that extract the accounting and\n                                                 budgetary data in the required TIER\n                                                 format. TIER has a standardized chart\n                                                 of accounts that is compliant with\n                                                 USSGL guidance issued by the\n                                                 Department of the Treasury. FACTS\n                                                 II edit checks are incorporated in the\n                                                 TIER validation checks.            After\n                                                 submitting the adjusted trial balances\n                                                 into TIER, ARC accountants review\n                                                 the edit reports and resolve any invalid\n                                                 attributes or out-of-balance conditions.\n                                                 ARC accountants document this\n                                                 review by completing the TIER\n                                                 Submission Checklist, which is further\n                                                 reviewed by a supervisor.\n\n\n                        Financial Analysis and   Treasury\xe2\x80\x99s FARS produces financial\n                        Reporting System         statements using data bureaus have\n                        (FARS)                   submitted to TIER.\n\n\n\n\n                                      24              Description of Controls Provided\n                                                      by the Bureau of the Public Debt\n\x0c   Name of Sub-service           Name of System          Function/Responsibilities\n     Organization\n\n\n\nVarious third-party payroll   Various systems      Third-party     payroll     processors\nprocessors                                         transmit payroll files to ARC after the\n                                                   end of a pay period. ARC uses these\n                                                   files    for      recording    payroll\n                                                   disbursements.\n\nNorthrop Grumman              GovTrip              NGMS developed and hosts the\nMission Systems (NGMS)                             GovTrip system, which is an E-Gov\n                                                   travel platform. NGMS is the vendor\n                                                   for E-Gov travel selected by the\n                                                   Department of the Treasury.\n                                                   NGMS maintains the data in their\n                                                   Business Data Warehouse for six\n                                                   years and three months.\n\n\nGeneral Services              Central Contractor   Primary registrant database for the\nAdministration (GSA)          Registration (CCR)   U.S. Federal Government; collects,\n                                                   validates, stores and disseminates data\n                                                   in support of Customer Agency\n                                                   acquisition missions.\n\nBureau of the Public Debt     FedInvest            Used to purchase and redeem\n                                                   Government Account Series (GAS)\n                                                   securities; data source for Customer\n                                                   Agency federal investment interfaced\n                                                   transactions with Oracle.\n                                                   ARC hosts its Oracle and PRISM\nOracle Corporation            Oracle on Demand\n                                                   applications at Oracle on Demand.\n                                                   BPD retains application administration\n                                                   responsibilities and Oracle on Demand\n                                                   provides the computer processing\n                                                   infrastructure and support thereto.\n\n                                                   Oracle on Demand staff serve as the\n                                                   database and system administrators\n                                                   and provides backup and recovery\n                                                   services for Oracle and PRISM.\n\n\n\n\n                                           25           Description of Controls Provided\n                                                        by the Bureau of the Public Debt\n\x0cIII.   CONTROL OBJECTIVES, RELATED CONTROLS, AND\n           TESTS OF OPERATING EFFECTIVENESS\n\n\n\n\n                      26   Control Objectives, Related Controls, and\n                                    Tests of Operating Effectiveness\n\x0cACCOUNTING PROCESSING CONTROLS\n\nControl Objective 1 - Obligations\n\nControls provide reasonable assurance that obligations are authorized, reviewed, documented,\nand processed timely in accordance with Administrative Resource Center (ARC) policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of obligations.\n\nPRISM System Interface\nAn obligation is created when a Customer Agency enters into a legally binding contract with a\nvendor for goods or services. The obligation is entered into the accounting system through an\ninterface between PRISM and Oracle. The interface changes the budget status from a\ncommitment (if applicable) to an obligation in the general ledger and updates the corresponding\nsystem tables. The interface between the procurement and accounting systems is real-time. The\nprocurement system has built-in controls that validate information provided by the Customer\nAgency and ensure proper authorization is granted prior to the interface into the accounting\nsystem. These include:\n    \xe2\x80\xa2 Limited options based on roles;\n    \xe2\x80\xa2 Field inputs limited to look-up tables;\n    \xe2\x80\xa2 Data validations;\n    \xe2\x80\xa2 Pre-populated fields for default or standard entries;\n    \xe2\x80\xa2 Validation of funds availability; and\n    \xe2\x80\xa2 Non-editable fields (i.e., total when amount is per unit).\n\nThe interface between PRISM and Oracle is monitored periodically throughout the day by\nsystems analysts. The analysts periodically monitor a report that identifies transactions that have\nbeen in the Pending Financial Approval status for more than 15 minutes and a report that\nidentifies transactions that were disapproved during the Pending Financial Approval status. The\nanalysts monitor the reports to ensure transactions are processed timely and to identify and\ninvestigate any issues. Additionally, for transactions that terminate in Pending Financial Approval\nstatus, the report indicates that when Oracle attempted to insert the record into the general ledger\ndatabase a successful message was not returned. The report lists all transactions currently in this\nstate. The analyst investigates all transactions included in the report to resolve the issues and\nchange the status accordingly. Additionally, the Customer Agency approver receives notification\nof the failure in their PRISM inbox if the document status is disapproved.\n\nManually Recorded Obligations \xe2\x80\x93 Customer Agency Approval\nFor obligations not processed through the interface, Customer Agencies and/or Procurement\nsends ARC a signed copy of the agreement or an e-mail to obligate the funds. Upon receipt from\nthe Customer Agency, the ARC technician responsible for processing the Customer Agency\xe2\x80\x99s\naccounting transactions reviews the documentation to ensure that adequate accounting\ninformation has been received, and manually enters the obligation into Oracle. Obligations that\nare posted in Oracle are available for both ARC and Customer Agency review through ad hoc\nDiscoverer reports.\n\n\n\n\n                                               27       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTemporary Duty Travel System Interface\nCustomer Agencies enter travel authorizations into GovTrip and electronically route them to\nApproving Officials for review and approval. Approving Officials electronically sign the\nauthorization with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d authorizations are interfaced daily via\nbatch processing to Oracle which records an obligation in the general ledger. Each day an\ninterface file is received from Northrop Grumman Mission Systems (NGMS) which is used for\nprocessing, report generation, and identification of exceptions. The file is loaded into the Oracle\ninterface and accepted records are added to Oracle as obligations in the general ledger. A Travel\nOrder Status Report is generated and reviewed to identify and correct data interface errors and\nexceptions between GovTrip and Oracle. To correct transactions of this nature, the transactions\nare manually entered into the system. Approved authorizations in GovTrip are reconciled daily\nby an accounting technician with an Oracle generated report to ensure that all GovTrip\nauthorizations have been interfaced and processed in Oracle. In addition, GovTrip prevents a\nuser from both entering and approving travel authorizations unless they have authorized access.\n\nRelocation Travel System Interface\nThe Relocation Services Branch (RSB) personnel enter PCS travel authorizations into\nmoveLINQ, print and send them to Approving Officials for review and approval. When the\nsigned document is received by RSB, Relocation Coordinators stamp the document in moveLINQ\nwith a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced daily via batch process to\nOracle which records an obligation in the general ledger.          Approved authorizations in\nmoveLINQ are reconciled daily by an accounting technician with an Oracle generated report to\nensure that all moveLINQ authorizations have been interfaced and processed in Oracle.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF-132)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and is set-up in Oracle by the\nCustomer Service Branch (CSB). System settings are reviewed with the Customer Agency on an\nannual basis. Budget plans are input into Oracle by ARC staff, based upon budget plans provided\nby Customer Agencies. Budget plans input into Oracle by ARC Staff are reviewed and signed off\non by an ARC Supervisor.\n\n\n                                               28       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on obligating\ndocuments. ARC has developed and implemented a standard document-numbering scheme to\navoid duplicate document processing and to enable readers of ARC reports to better identify\nand/or determine the nature of transactions processed by ARC. When an ARC user attempts to\nenter a transaction identification number that already exists, Oracle issues an error message that\nalerts the user of the duplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Send valid requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Restrict Customer Agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\xe2\x80\xa2   Approve and return relocation travel authorizations to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Compare actual spending results to budgeted amounts.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of obligations and determined that the\n    procedures were formally documented for the processing of obligations.\n\xe2\x80\xa2   Observed the validation tables in the PRISM system and noted that the system was configured\n    to validate obligation document types and to ensure accuracy and completeness of the data\n    interfaced from the PRISM system to the Oracle System.\n\xe2\x80\xa2   Observed the PRISM Support Desk Staff monitoring the \xe2\x80\x9cPending Financial Approval\xe2\x80\x9d and\n    \xe2\x80\x9cDisapproved during Pending Financial Approval\xe2\x80\x9d reports and noted that the reports appeared\n    to be monitored, and backlogs were not building up.\n\xe2\x80\xa2   For a selection of manually entered obligations, inspected evidence of Customer Agency\n    approval and determined that manually entered obligations were approved prior to being\n    entered into Oracle by ARC Staff.\n\xe2\x80\xa2   Observed the daily GovTrip interface and noted that approved travel authorizations were\n    interfaced into the Oracle system and recorded as an obligation.\n\xe2\x80\xa2   For a selection of dates, inspected GovTrip to Oracle interface reconciliations and determined\n    that daily reconciliations were performed to ensure that data from the GovTrip system\n    interfaced to the Oracle System.\n\n                                              29       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected screen prints from an ARC staff member entering travel vouchers into GovTrip and\n    determined that the system required the travel vouchers to be routed to an approving official.\n\xe2\x80\xa2   Inspected screen prints of an approving official attempt to enter and approve travel vouchers\n    and determined that GovTrip prevented a user from both entering and approving travel\n    vouchers.\n\xe2\x80\xa2   Observed the daily moveLINQ interface and noted that approved relocation authorizations\n    were interfaced into the Oracle system and recorded as an obligation.\n\xe2\x80\xa2   For a selection of days, inspected the reconciliation of authorization from moveLINQ to the\n    Oracle System and determined that the interface activity was reconciled to ensure all\n    approved authorizations were completely and accurately interfaced to the Oracle System.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              30       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 2 - Disbursements\n\nControls provide reasonable assurance that the disbursement of invoices and vouchers is\nauthorized, reviewed, processed timely, reconciled, and properly documented in accordance with\nARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of disbursements.\n\nCustomer Agency Invoice Approvals\nARC only processes disbursements for invoices with Customer Agency approval. Vendors can\neither send invoices to the Customer Agency or ARC, depending on the instructions in the\npurchase order. If invoices are sent to the Customer Agency, the Customer Agency reviews and\napproves the invoice and forwards the invoice and documentation of Customer Agency approval\nto ARC. When invoices are sent to ARC, ARC obtains Customer Agency approval through an\nexecuted receiving document, or ARC submits the invoice to an authorized Customer Agency\ncontact for approval. Appropriate contacts are either specified in the purchase order or are\ncommunicated to ARC by the Customer Agency. Intragovernmental Payment and Collection\ntransactions (IPACs) which decrease an ARC Customer Agency\xe2\x80\x99s Fund Balance with Treasury\n(FBWT) must be approved in advance by the Customer Agency, unless the IPAC was initiated\nagainst the Customer Agency by another federal agency. To ensure that IPAC transactions\ninitiated against the Customer Agency by another federal agency are posted in the proper\naccounting period, ARC may obtain Customer Agency approval after the IPAC has been\nrecorded. Disbursement may also occur with information from feeder systems (PRISM, GovTrip,\nand moveLINQ).\n\nStatistical Sampling of Invoices\nAll invoices are subject to ARC internal review. System controls set at the user identification\nand/or vendor level ensure that payment of invoices greater than or equal to $2,500 which are\nprocessed by an accounting technician must be reviewed and approved by a lead accounting\ntechnician or an accountant. Invoices less than $2,500 are subject to statistical sampling. System\nuser access profiles restrict accounting technicians\xe2\x80\x99 ability to process documents that require\nsecondary review and approval and ensure proper segregation of duties is maintained. A 100%\npost audit management review is conducted monthly on all invoices greater than $2,500 that are\nboth processed and approved by the same individual.\n\nTemporary Duty Travel Vouchers\nCustomer Agencies enter temporary duty travel vouchers into GovTrip and electronically route\nthem to Approving Officials for review and approval. Approving Officials electronically sign the\nvoucher with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d travel vouchers are interfaced daily via\nbatch processing to Oracle which records a disbursement in the general ledger. Each day an\ninterface file is received from the GovTrip System which is used for processing, report\ngeneration, and identification of exceptions. The file is loaded into the Oracle interface and\naccepted records are added to Oracle as disbursements in the general ledger. The travel voucher\nis then matched against an existing authorization. A Travel Voucher Status Report is generated\nand reviewed to identify and correct data interface errors and exceptions between GovTrip and\nOracle. To correct transactions of this nature, the transactions are manually entered into the\nsystem. Approved vouchers in GovTrip are reconciled daily by an accounting technician with an\nOracle generated report to ensure that all GovTrip vouchers have been interfaced and processed\n\n\n                                              31       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cin Oracle.   In addition, GovTrip prevents a user from both entering and approving travel\nvouchers.\n\nStatistical Sampling of Temporary Duty Travel Vouchers\nTemporary Duty Services Branch (TDSB) staff completes a post audit review of temporary duty\ntravel vouchers to verify the accuracy of the interfaced data and compliance with Federal Travel\nRegulations (FTR), using statistical sampling procedures to select documents less than $2,500,\nbased on the Customer Agency\xe2\x80\x99s travel policy (FTR or FTR/ARC). A 100% post audit review is\nconducted on all documents greater than $2,500. Errors discovered during the review are sent via\ne-mail to the traveler or document preparer and approving official to review and/or take action.\nBilling documents are created for amounts owed by a traveler of $25 or greater, resulting from an\noverpayment in which the Customer Agency has declared the overpayment a debt of the\ngovernment. The traveler sends a check to cover the overpayment.\n\nRelocation Services Travel Vouchers\nRSB personnel enter and audit each PCS travel voucher in moveLINQ, print and then send them\nto Approving Officials for review and approval. When the signed document is received by RSB,\nRelocation Coordinators stamp the document in moveLINQ with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All\n\xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced daily via batch processing to Oracle which records a\ndisbursement in the general ledger. Approved vouchers in moveLINQ are reconciled daily by an\nAccounting Technician with an Oracle generated report to ensure that all moveLINQ vouchers\nhave been processed in Oracle.\n\nPayment Date Calculations\nBased on the Customer Agency\xe2\x80\x99s contracts with its suppliers, ARC staff enters the invoice date\nand the later of the invoice receipt date, or the earlier of the formal or constructive acceptance\ndates into Oracle based on the supporting documentation from the Customer Agency. On a daily\nbasis, Oracle selects invoices that are due for payment and creates files for manual uploading into\nTreasury\xe2\x80\x99s Secure Payment System (SPS). The ARC SPS certifying officer compares the number\nand dollar amount of payments from the SPS generated schedule to the payment files generated\nby Oracle to ensure all payment files have been uploaded to Treasury. For invoices that are\nsubject to the Prompt Payment Act, Oracle schedules payments to disburse 30 days after the later\nof the invoice receipt date and the earlier of the date of formal or constructive acceptance (unless\nthe supplier\xe2\x80\x99s contract or invoice states otherwise). Any payments that are subject to the Prompt\nPayment Act that are paid after their Oracle scheduled due date are subject to prompt pay interest\nto cover the period the payment was due but not paid. Oracle automatically determines if interest\nis due based on the dates in the accounting system. If interest is due, Oracle calculates interest\nand generates an interest payment to the vendor, provided the total interest is more than one\ndollar.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury Activity\nEach month, Treasury\xe2\x80\x99s Financial Management Service (FMS) issues the Statement of\nDifferences to agency location codes (ALC) when differences are identified between the cash\nactivity reported by the agency on the FMS 224, Statement of Transactions, and data reported to\nTreasury\xe2\x80\x99s CA$HLINK II, GWA TDO Payments, and IPAC systems. ARC accountants\nminimize month-end disbursement differences by comparing preliminary FMS 224 disbursement\ndata to data obtained from Treasury\xe2\x80\x99s CA$HLINK II, GWA TDO Payments, and IPAC systems.\nAny differences identified by the accountant are corrected by an accounting technician or another\naccountant prior to the close of the accounting period. ARC accountants prepare monthly\nStatement of Differences reconciliations for supervisory review. If a Statement of Differences was\nreceived, the transaction(s) that caused the difference is (are) identified and if necessary,\n\n                                               32       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0ccorrecting entries are posted by an accounting technician or another accountant and reported in\nthe subsequent accounting period.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF-132)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nCSB. System settings are reviewed with the Customer Agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by Customer Agencies.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers for the same vendor on\naccounts payable transactions. ARC has developed and implemented a standard document-\nnumbering scheme to avoid duplicate document processing and to enable readers of ARC reports\nto better identify and/or determine the nature of transactions processed by ARC. When an ARC\nuser attempts to enter a transaction identification number that already exists, Oracle issues an\nerror message that alerts the user of the duplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that disbursement transactions are\n    complete and accurate.\n\xe2\x80\xa2   Approve invoices for payment and send approved invoices to ARC in a timely manner.\n\xe2\x80\xa2   Ensure that invoices properly reflect the invoice receipt date and formal or constructive\n    acceptance date according to the Prompt Payment Act.\n\xe2\x80\xa2   Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period.\n\n\n\n                                               33        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to approve invoices and\n    travel vouchers when it is not communicated in the authorizing agreement.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of disbursements and determined that the\n    procedures were formally documented for the processing of disbursements.\n\xe2\x80\xa2   For a selection of invoices, inspected documentation of Customer Agency authorization and\n    related general ledger entries and determined that disbursements were authorized and\n    processed timely.\n\xe2\x80\xa2   For a selection of Intergovernmental Payment and Collection transactions, inspected\n    documentation of Customer Agency authorization and related general ledger entries and\n    determined that disbursements were authorized and processed timely.\n\xe2\x80\xa2   Observed an accountant process an invoice over $2,500 and noted that the system\n    automatically routed the invoice to a secondary lead accounting technician or an accountant\n    for review and approval.\n\xe2\x80\xa2   For a selection of months, inspected evidence of the statistical review of invoices less than\n    $2,500 and determined that the statistical review was performed subject to statistical sampling\n    by a lead accounting technician or an accountant.\n\xe2\x80\xa2   For a selection of months, inspected evidence and determined that the 100% post audit\n    management reviews were conducted monthly on all invoices greater than $2,500 which were\n    both processed and approved by the same individual.\n\xe2\x80\xa2   Observed the daily GovTrip interface and noted that approved travel authorizations were\n    interfaced into the Oracle system and were recorded as an obligation.\n\xe2\x80\xa2   For a selection of days, inspected GovTrip voucher reconciliations and determined that\n    approved vouchers in GovTrip were reconciled daily to Oracle by an accounting technician.\n\xe2\x80\xa2   Observed a user in GovTrip attempting to approve their own travel voucher and noted that the\n    system automatically prevented the user from approving their own travel voucher.\n\xe2\x80\xa2   For a selection of months, inspected evidence of the supervisor review of temporary duty\n    travel voucher invoices over $2,500 that were processed and approved by the same individual\n    and determined that the supervisor reviewed the invoices and performed follow-up to validate\n    the self-approval.\n\xe2\x80\xa2   Observed relocation vouchers interfaced into Oracle and determined that approved vouchers\n    were interfaced via automated batch process.\n\xe2\x80\xa2   For a selection of days, inspected evidence and determined that vouchers in moveLINQ were\n    reconciled daily by an Accounting Technician with an Oracle generated report.\n\xe2\x80\xa2   For a selection of days, inspected evidence that the ARC SPS certifying officer compared the\n    number and dollar amount of payments and determined that the review was completed daily\n    to ensure interfaces were uploaded completely.\n\n                                              34        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of invoices subject to the Prompt Payment Act, inspected documentation and\n    determined that Oracle schedules payments to disburse 30 days after the later of the invoice\n    receipt date and the earlier of the date of formal or constructive acceptance (unless the\n    supplier\xe2\x80\x99s contract or invoice states otherwise).\n\xe2\x80\xa2   For a selection of late payments, inspected evidence and determined that proper interest was\n    calculated and paid based on the number of days the payment was late.\n\xe2\x80\xa2   For an example late payment, recalculated the interest owed and determined that Oracle\n    calculated interest and generated an interest payment to the vendor.\n\xe2\x80\xa2   For a selection of months, inspected the Statement of Differences and determined that\n    supervisors reviewed the reconciliations.\n\xe2\x80\xa2   For identified differences from the selection of months and Customer Agencies, inspected\n    evidence and determined that accounting technicians or another accountant corrected\n    differences prior to the close of the accounting period or in the subsequent accounting period\n    if necessary based on timing.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              35       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 3 \xe2\x80\x93 Unfilled Customer Orders, Receivables, and Cash Receipts\n\nControls provide reasonable assurance that unfilled customer orders, receivables, and cash\nreceipts are reconciled and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of unfilled customer\norders, receivables, and cash receipts.\n\nCustomer Agency Approval\nARC only processes unfilled customer orders, receivables, and cash receipts with Customer\nAgency approval, with the exception of checks received for deposit directly by ARC on the\ncustomer\xe2\x80\x99s behalf for accounts payable invoice refunds of overpayments and/or vendor rebates.\nCustomer Agencies either send signed source documents or provide a summary of their\ntransactions via fax or e-mail. ARC enters all transactions into Oracle, which are available for\nreview through reporting systems. To help ensure that cash receipts are posted in the proper\naccounting period, ARC may obtain Customer Agency approval after the cash receipt has been\nrecorded.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury Activity\nEach month, Treasury\xe2\x80\x99s FMS issues the Statement of Differences to ALCs when differences are\nidentified between the cash activity reported by the agency on the FMS 224, Statement of\nTransactions, and data reported to Treasury\xe2\x80\x99s CA$HLINK II and IPAC systems. ARC\naccountants minimize month-end differences relating to collections by comparing preliminary\nFMS 224 collection data to Treasury\xe2\x80\x99s CA$HLINK II and IPAC systems. Any differences\nidentified by the accountant are corrected by an accounting technician or another accountant prior\nto the close of the accounting period. ARC accountants prepare monthly Statement of Differences\nreconciliations for supervisory review. If a Statement of Differences was received, the\ntransaction(s) that caused the difference is (are) identified and if necessary, correcting entries are\nposted by an accounting technician or another accountant and reported in the subsequent\naccounting period.\n\nReporting - Receivables\nARC accountants prepare and submit a quarterly Report on Receivables Due from the Public for\nall Customer Agencies. This report requires agencies to track the collection of receivables and\nreport on the status of delinquent balances according to an aging schedule. Accountants that are\nresponsible for preparing the Report on Receivables Due from the Public review and reconcile all\nactivity (i.e., new receivables, revenue accruals, collections, adjustments and write-offs) with the\npublic on a quarterly basis. An ARC supervisory accountant reviews the report. Customer\nAgencies are responsible for monitoring and pursuing collection of delinquent balances. On an\nannual basis, the Customer Agency\xe2\x80\x99s Chief Financial Officer must certify that the report\nsubmitted to the Department of the Treasury is accurate and consistent with agency accounting\nsystems.\n\nIntragovernmental Transactions\nARC adheres to applicable intragovernmental elimination guidance. This involves recording\ntransactions at a level that allows for identification of its governmental trading partners and for\nreconciling the transactions/balances with trading partners on a quarterly basis. For its non-\nTreasury and non-Homeland Security Customer Agencies, ARC accountants reconcile fiduciary\n\n                                                36        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0caccount balances with their trading partners (Bureau of Public Debt, Office of Personnel\nManagement and Department of Labor) after uploading account balances into the\nIntragovernmental Fiduciary Confirmation System (IFCS). The Department of Treasury and the\nDepartment of Homeland Security utilize IFCS to reconcile Treasury and Homeland Security\nagency fiduciary account balances with trading partners. For the non-fiduciary transactions of its\nCustomer Agencies, ARC accountants prepare and submit confirmations to the appropriate\ntrading partners in accordance with the elimination reconciliation guidance. Upon submitting the\nconfirmations to the trading partners, ARC works with the trading partners to reconcile\ntransactions/balances and identify and record any necessary adjustments. Reconciliations are not\nperformed for non-Treasury Customer Agencies. Non-Treasury Customer Agencies receive\nconfirmations only.\n\nDocument Numbering\nAll accounting entries recorded in Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on unfilled customer\norders and receivables. A system control alerts the user of the use of duplicate document numbers\non cash receipt and advance transactions. ARC has developed and implemented a standard\ndocument-numbering scheme to avoid duplicate document processing and to enable readers of\nARC reports to better identify and/or determine the nature of transactions processed by ARC.\nWhen an ARC user attempts to enter a transaction identification number that already exists,\nOracle issues an error message that alerts the user of the duplication.\n\nCustomer Agency Control Consideration\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Send approved and accurate documentation of unfilled customer orders, receivables, and cash\n    receipts transactions, to ARC in the proper period.\n\xe2\x80\xa2   Review unfilled customer orders, receivable and advance reports for completeness, accuracy,\n    and validity.\n\xe2\x80\xa2   Monitor and pursue collection of delinquent balances.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of unfilled customer orders, cash receipts,\n    receivables, advances, and write-offs and observed ARC personnel process transactions, and\n    determined that the transactions were processed in accordance with the procedures.\n\xe2\x80\xa2   For a selection of unfilled customer orders, inspected documentation of Customer Agency\n    authorization and determined that transactions were authorized by Customer Agencies.\n\xe2\x80\xa2   For a selection of receivables, inspected documentation of Customer Agency authorization\n    and determined that transactions were authorized by Customer Agencies.\n\xe2\x80\xa2   For a selection of cash receipts, inspected documentation of Customer Agency authorization\n    and determined that transactions were authorized by Customer Agencies.\n\xe2\x80\xa2   For a selection of months, inspected Statement of Differences reconciliations and determined\n    that reconciliations were documented and that any correcting entries were posted by an\n\n\n                                              37       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c    accounting technician or another accountant and reported in the subsequent accounting\n    period.\n\xe2\x80\xa2   For a selection of quarters, inspected the Report on Receivables Due from the Public\n    reconciliations and determined that reconciliations were documented.\n\xe2\x80\xa2   For a selection of quarters, inspected Reports on Receivables Due from the Public and\n    determined that they were reviewed by an ARC supervisory accountant.\n\xe2\x80\xa2   Inspected a quarterly selection of intra-governmental confirmations and reconciliations and\n    determined that confirmations were sent, reconciliations were documented, and trading\n    partners identified.\n\xe2\x80\xa2   Inspected a quarterly selection of non-Treasury and non-Homeland Security Customer\n    Agency intra-governmental Fiduciary Confirmation System balances and determined that\n    fiduciary account balances were reconciled with trading partner balances.\n\xe2\x80\xa2   Inspected a selection of non-fiduciary transaction confirmations of ARC Customer Agencies\n    and determined that ARC accountants prepared and submitted confirmations to the\n    appropriate trading partners in accordance with the elimination reconciliation guidance.\n\xe2\x80\xa2   Inspected a selection of transaction(s)/balance(s) reconciliations and determined that upon\n    submitting the confirmations to the trading partners, ARC worked with the trading partners to\n    reconcile transactions/balances and identify and record any necessary adjustments.\n\xe2\x80\xa2   Inspected a selection of reconciliations and determined that confirmations were performed for\n    non-Treasury Customer Agencies.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                             38        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 4 - Deposits\n\nControls provide reasonable assurance that checks are secure and deposited timely by appropriate\npersonnel and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for the safeguarding and recording of deposits.\n\nSafeguarding Checks\nChecks received by the mailroom are scanned and a batch ticket with the number of checks\nreceived is generated. Copies of the batch ticket along with the checks are sent via confidential\nmail to the appropriate ARC branch. An ARC accounting technician or administrative staff\nmember who does not have accounting system access to post account receivable transactions,\nreceives, opens and logs all checks received in the branch\xe2\x80\x99s check deposit log. The number of\nchecks received is compared to the number of checks listed on the batch ticket. Checks are to be\ndeposited as soon as possible after the purpose and validity of the check\xe2\x80\x99s issuance are identified.\nWhile the accounting technician responsible for processing deposits for the Customer Agency is\nresearching the check\xe2\x80\x99s purpose and validity, the check is locked in the ARC administrative staff\nmember\xe2\x80\x99s drawer until it is ready to be deposited.\n\nManual Deposits \xe2\x80\x93 Segregation of Duties\nWhen the check is ready for manual deposit, a deposit ticket and the check are placed in a locked\nbag and picked up by the mail clerk. A copy of the deposit ticket is retained by the ARC\nadministrative staff member for comparison with the receipt and deposit ticket signed by the bank\nteller. The mail clerk delivers the locked bag containing the deposit ticket and checks to the local\nfederal depository. The bag containing the bank teller\xe2\x80\x99s deposit ticket and receipt are returned to\nthe branch office that processed the deposit. After the bank teller receipt and deposit ticket are\ncompared to the copy retained by the branch and the ARC administrative staff member updates\nthe check deposit log to record the date the deposit was made, an accounting technician processes\nthe cash receipt in the accounting system.\n\nPaper Check Conversion System Deposits and Reconciliation\nFor customers using the Paper Check Conversion (PCC) system, an ARC accounting technician\nor administrative staff member will scan each check into the PCC system. The batch list is\nautomatically temporarily saved to the server until it is transmitted to the Federal Reserve Bank\n(FRB) by the ARC accounting technician or administrative staff member. Upon settlement with\nthe FRB, the ARC accounting technician reconciles the batch list with the paper checks and signs\noff to indicate the reconciliation is complete. After reconciliation, the checks are stamped\n\xe2\x80\x9cVOID\xe2\x80\x9d by the ARC accounting technician or administrative staff member and held awaiting\nconfirmation of the deposit in the Federal Reserve's deposit application. Upon confirmation, the\nARC accounting technician or administrative staff member destroys the voided checks. The cash\nreceipt is recorded in Oracle by an independent ARC accounting technician.\n\nTreasury General Account Deposit Reporting Network System Deposit and Reconciliation\nFor customers using the Treasury General Account Deposit Reporting Network (TGAnet) system,\nan ARC accounting technician or administrative staff member will manually enter the deposit\ninformation into the TGAnet system. A deposit ticket and the check(s) are sent in a locked\nmoney bag that is picked up by a mail clerk who then delivers it to the local federal depository.\nA copy of the deposit ticket is retained by the ARC accounting technician or administrative staff\nmember for comparison with the deposit receipt from the bank teller and the confirmed deposit\n\n                                               39       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cticket from the TGAnet system. The money bag containing the bank teller's deposit receipt is\nreturned to the branch office that processed the deposit. After the bank teller receipt and TGAnet\nconfirmed deposit ticket are compared to the copy retained by the branch, the cash receipt is\nrecorded in Oracle by an independent ARC accounting technician.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the safeguarding and recording of deposits and determined\n    that ARC had documented procedures for the safeguarding and recording of deposits.\n\xe2\x80\xa2   Inspected the checks received by the mailroom and the associated batch tickets and\n    determined that a batch ticket with the number of checks received was generated.\n\xe2\x80\xa2   From a selection of batch tickets generated by the mailroom, inspected notes and determined\n    that copies of batch tickets were sent via confidential mail to the appropriate ARC branch.\n\xe2\x80\xa2   Inspected a selection of check logs and determined that an ARC administrative staff member\n    who did not have accounting system access to post account receivable transactions, received,\n    opened and logged all checks received in the branch\xe2\x80\x99s check deposit log.\n\xe2\x80\xa2   Inspected a selection of checks received and associated batch tickets and determined that the\n    number of checks received was compared to the number of checks listed on the batch ticket.\n\xe2\x80\xa2   Inspected a selection of check deposit records and check issuance attributes and determined\n    that checks were deposited as soon as possible after the purpose and validity of the check\xe2\x80\x99s\n    issuance were identified.\n\xe2\x80\xa2   Observed un-deposited checks from the check deposit log, and noted that they were properly\n    secured in a locked drawer.\n\xe2\x80\xa2   Observed checks ready for deposit, and noted that the deposit tickets and the checks were\n    placed in a locked bag and picked up by the mail clerk.\n\xe2\x80\xa2   Inspected a selection of signed check deposit logs and determined that a copy of the checks\n    was retained by the ARC administrative staff member for comparison with the receipt and\n    deposit ticket signed by the bank teller.\n\xe2\x80\xa2   Inspected a selection of reconciliations from the deposit tickets to the bank teller deposit\n    tickets and receipts and determined that the reconciliations were performed.\n\xe2\x80\xa2   For a selection of dates, inspected PCC reconciliations and determined that the reconciliations\n    were performed and exceptions were resolved.\n\xe2\x80\xa2   Inspected a selection of reconciliations of TGANet confirmed deposit receipts to those\n    retained by the ARC branch and determined that the reconciliations were performed and\n    exceptions were resolved.\n\n\nNo exceptions noted.\n\n\n\n\n                                              40        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 5 \xe2\x80\x93 Payroll Accruals\n\nControls provide reasonable assurance that period-end payroll accruals are processed timely,\nreviewed, and properly documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of payroll accruals.\n\nSystem Calculation of Accruals\nPayroll accruals are recorded on a monthly basis and reversed in the subsequent accounting\nperiod. The payroll accrual is a prorated calculation performed by the accounting system that is\nbased on the most recent payroll disbursement data available. To make its calculation, the\naccounting system requires a payroll accountant to enter specific parameters (e.g., number or\npercentage of workdays to accrue and the base pay period number).\n\nComplementary Customer Agency Controls\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll accruals are complete\n    and accurate.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of payroll accruals and determined that the\n    procedures were formally documented and for the processing of payroll accruals.\n\xe2\x80\xa2   For a selection of months, inspected payroll accrual invoices for a selection of Customer\n    Agencies for entry into the system and determined that payroll accruals were entered timely.\n\n\nNo exceptions noted.\n\n\n\n\n                                             41        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 6 \xe2\x80\x93 Payroll Disbursements\n\nControls provide reasonable assurance that payroll disbursement data (disbursed by a third-party)\nis reviewed, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of payroll disbursements.\n\nAutomated Payroll Posting Process\nThird-party payroll processors transmit payroll files to ARC during the first and/or second weeks\nafter the end of a pay period, depending on the payroll provider and the need to record payroll\nadjustments. Upon converting the data into a format that can be uploaded into Oracle, the ARC\npayroll accountant reconciles the converted data to the original raw data from the third-party\nprocessors. The ARC payroll accountant processes payroll entries using a batch interface that\nposts summary payroll data to Oracle. The payroll accountant reviews and corrects transactions\nthat reject in the interface. A Discoverer report is used to identify those records that reject. The\npayroll accountant contacts the customer for resolution of erroneous accounting codes, funding\nissues, or other circumstances that would prevent the payroll from being recorded. Until the\nerrors are cleared, the data is viewed as invalid and will not be able to be posted to the general\nledger. If the third-party payroll processor provides adjustment files for additional transactions\nbetween main payroll files, the ARC payroll accountant follows the same procedure for\nprocessing these files.\n\nReconciliation \xe2\x80\x93 Payroll Activity\nPayroll accountants prepare a monthly reconciliation of payroll disbursements recorded in Oracle\nand payroll disbursements as reflected on the GWA Account Statement. The payroll accountant\ninvestigates and resolves any differences identified. This reconciliation is reviewed and approved\nby the supervisor or manager of ARC\xe2\x80\x99s Central Accounting Branch. In addition, ARC prepares\nmonthly GWA Account Statement reconciliations from the general ledger to Treasury\xe2\x80\x99s record.\nAny reconciliation differences identified by the branch accountant who prepares the GWA\nAccount Statement reconciliation, that requires correction, are posted by another accountant or\naccounting technician in a subsequent accounting period. ARC supervisory accountants review\nand approve the GWA Account Statement/Fund Balance with Treasury reconciliations.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Verify that payroll processed by third-party providers is complete and accurate.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll disbursements are\n    complete and accurate.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\n\n                                               42       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected written procedures for the processing of payroll disbursements and determined that\n    the consistent use of the procedures by staff was likely to help prevent the inaccurate,\n    unauthorized, or untimely entry of payroll disbursements into ARC information systems.\n\xe2\x80\xa2   Inspected an interface error report and determined that during the interface, input files were\n    checked for errors and interface error reports were created if errors were identified and\n    determined that data would not interface until errors were corrected.\n\xe2\x80\xa2   For a selection of months, inspected payroll reconciliations and determined that\n    reconciliations were performed and that any exceptions were resolved.\n\xe2\x80\xa2   For a selection of months, inspected GWA Account Statement, Undisbursed Appropriation\n    Account Ledger reconciliations and determined that reconciliations were performed and that\n    any exceptions were resolved.\n\n\nNo exceptions noted.\n\n\n\n\n                                              43       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 7 - USSGL\n\nControls provide reasonable assurance that transactions are processed in accordance with the U.S.\nStandard General Ledger (USSGL) and Treasury Financial Manual (TFM) guidance.\n\nDescription of Controls\n\nARC has documented procedures for processing transactions consistent with the USSGL.\n\nTransaction Set-up Controls\nARC records proprietary and budgetary accounting entries using the USSGL at the transaction\nlevel. This is accomplished using a combination of transaction code, system setup, and data entry\nin Oracle. In addition, Oracle cross-validation rules have been established to prevent transactions\nfrom being processed to inappropriate USSGL accounts.\n\nARC follows the TFM to establish accounting transaction posting models in Oracle. System\nadministrators require authorization from a supervisor or manager to establish new posting\nmodels for transaction processing.\n\nOn an annual basis, ARC reviews the USSGL Board\xe2\x80\x99s proposed and approved additions,\ndeletions and/or modifications to USSGL account titles and/or account descriptions to determine\ntheir applicability to ARC Customer Agencies. Once the changes to the USSGL are approved by\nTreasury\xe2\x80\x99s FMS and the new TFM guidance is issued (generally mid-summer), ARC supervisors\nand managers communicate the appropriate changes to system administrators to ensure the\naccounting transaction posting models are revised.\n\nGeneral Ledger Account Reconciliations\nAccountants perform general ledger account reconciliations (utilizing accounting system sub\nledgers or Excel spreadsheets) on balance sheet accounts except where account sub ledgers are\nnot made available to ARC, for supervisory review, to ensure related accounting transactions\nwere posted to the appropriate general ledger accounts. ARC accountants prepare budgetary to\nproprietary account relationship reconciliations on a monthly basis, for supervisory review, to\nensure complete general ledger account posting for all recorded transactions. An accounting\ntechnician or an accountant corrects invalid out-of-balance relationships.\n\nFACTS I Edit Checks\nARC enters pre-closing adjusted trial balances for its non-Treasury customers, except for the\nDepartment of Homeland Security, into the FACTS I system at the Treasury appropriation/fund\ngroup level using USSGL accounts and attributes. Treasury\xe2\x80\x99s FMS maintains the FACTS I\nsystem. The FACTS I system checks that the trial balance has, in aggregate, equal debit and\ncredit balances before the trial balance can be submitted in FACTS I. FACTS I also flags\nabnormal balances for scrutiny by an ARC accountant. After entering the adjusted trial balances\ninto FACTS I, ARC reviews the submitted balances and resolves any invalid abnormal balances\nor out-of-balance conditions. Once any necessary corrections have been made, the accountant\nsubmits the adjusted trial balance into the FACTS I system.\n\nFACTS II Edit Checks\nARC submits the FACTS II files for its non-Treasury customers, except for the Department of\nHomeland Security, using a bulk file upload. Accountants create the bulk files by running a job\nwithin the Oracle application. Oracle requires the data to pass several edit checks before it will\ncreate the bulk file. ARC manually uploads the FACTS II files into the FACTS II system.\n\n                                              44        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTreasury\xe2\x80\x99s FMS maintains the FACTS II system. The FACTS II system performs USSGL edit\nchecks and rejects any files that fail the edit checks. ARC investigates and resolves any files\nrejected by the FACTS II system.\n\nTreasury Information Executive Repository (TIER) Validation Checks\nFor ARC\xe2\x80\x99s Treasury and Department of Homeland Security Customer Agencies, FACTS I and II\nreporting requirements are met using TIER. TIER is a departmental data warehouse that receives\nmonthly uploaded financial accounting and budgetary data from the bureaus and other reporting\nentities in a standardized format. Data submitted to TIER by an ARC accountant is validated\nbased on system-defined validation checks.\n\nARC utilizes custom solutions that extract accounting and budgetary data from Oracle to\ngenerate necessary TIER data. TIER has a standardized chart of accounts that is compliant with\nUSSGL guidance issued by the Department of the Treasury. FACTS II edit checks are\nincorporated in the TIER validation checks. After submitting the adjusted trial balances into\nTIER, ARC accountants review the edit reports and resolve any invalid attributes or out-of-\nbalance conditions. ARC accountants document this review by completing the TIER Submission\nChecklist, which is further reviewed by a supervisor.\n\nFinancial Statement Crosswalks\nARC accountants prepare a Balance Sheet, Statement of Net Cost and Statement of Budgetary\nResources for all Customer Agencies that are covered by the Chief Financial Officer Act and the\nAccountability of Tax Dollars Act of 2002. The statements are submitted each quarter to the\nDirector of the Office of Management and Budget (OMB) and the Congress. Additionally, ARC\naccountants prepare the Statement of Changes in Net Position, and Statement of Custodial Activity\n(when applicable) for all Customer Agencies. ARC accountants compare TFM financial\nstatement crosswalks to ARC\xe2\x80\x99s internally prepared financial statements to ensure compliance\nwith the Customer Agency's government wide reporting requirements. ARC investigates and\nresolves any differences between TFM financial statement crosswalks and ARC\xe2\x80\x99s internally\nprepared financial statements.\n\nFinancial Statement Review\nFor Department of Treasury and Department of Homeland Security Customer Agencies, quarterly\nfinancial statements are produced by departmental systems using the data submitted in TIER.\nQuarterly consolidated financial statements are submitted to the Director of OMB and the\nCongress by the Department. ARC accountants compare the quarterly financial statements to\nARC\xe2\x80\x99s internally prepared financial statements, which is further reviewed by a supervisor, and\nany differences are resolved.\n\nFinancial Statement Variance Analysis\nFor both Department of Treasury and Department of Homeland Security Customer Agencies,\naccountants prepare a quarterly financial statement variance analysis. Explanations for variances\nthat exceed Department materiality thresholds must be provided to the Department. The\nDepartment submits a consolidated analysis to OMB. The bureau variance analysis is reviewed\nby an ARC supervisory accountant and approved by the bureau CFO or designee prior to\nsubmission to the Department. The Homeland Security bureau variance analysis is also certified\nby an ARC manager and the Homeland Security's CFO or designee also approves the variance\nanalysis.\n\nFor non-Treasury and non-Homeland Security Customer Agencies, accountants prepare a\nquarterly financial statement variance analysis for interim periods based on the guidance in OMB\n\n                                             45        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cCircular A-136. Explanations for variances that exceed the OMB Circular A-136 guidelines are\nprovided to OMB. The variance analysis is reviewed by an ARC supervisory accountant prior to\nsubmission to OMB.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review and approve, prior to submission, the financial reports prepared by ARC to ensure\n    that all reports prepared for external use are complete, accurate, and submitted in a timely\n    manner.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of transactions consistent with the USSGL\n    and determined that procedures were documented.\n\xe2\x80\xa2   Observed the processing of a transaction to an inappropriate USSGL account and noted the\n    existence of Oracle cross-validation rules.\n\xe2\x80\xa2   Inspected a list of users with access to change posting models and determined that system\n    administrators had access to administer posting models.\n\xe2\x80\xa2   For a selection of posting model changes and additions, inspected ARC supervisory approval\n    of the changes and inspected TFM/USSGL guidance and determined that the changes and\n    additions were authorized and that they were in agreement with TFM/USSGL guidance.\n\xe2\x80\xa2   Inspected evidence of the annual review of USSGL account titles and descriptions and\n    determined that the annual review was performed by ARC supervisors and Managers.\n\xe2\x80\xa2   For a selection of months, inspected monthly general ledger account reconciliations and\n    determined that reconciliations were performed, any exceptions were resolved and the\n    reconciliation was reviewed by an ARC supervisor.\n\xe2\x80\xa2   Inspected a selection of FACTS I edit check reports and determined that FACTS I was\n    completed, reviewed, and any issues were resolved.\n\xe2\x80\xa2   Inspected a selection of Reporting and Reconciliation Internal Control Checklists and\n    determined that the FACTS I was completed.\n\xe2\x80\xa2   Observed the staff run the ORACLE job that creates the FACTS II bulk data upload file and\n    noted that ORACLE edit checks were applied to the data, and that the ARC accountant\n    resolved any exceptions.\n\xe2\x80\xa2   Inspected a selection of TIER Submission Checklists and determined that TIER submissions\n    were reviewed by a supervisor.\n\xe2\x80\xa2   For a selection of quarters for a selection of Customer Agencies, inspected ARC comparison\n    of TFM financial statement crosswalk with ARC\xe2\x80\x99s internally prepared financial statements\n    and determined that ARC complied with reporting requirements.\n\xe2\x80\xa2   Inspected results of ARC\xe2\x80\x99s investigation of Treasury\xe2\x80\x99s financial statement crosswalk and\n    ARC\xe2\x80\x99s internally prepared financial statements and determined that ARC investigated and\n    resolved any differences.\n\n\n                                               46       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected a quarterly selection of financial statement reviews and determined that the\n    reconciliations were reviewed and approved by a supervisor.\n\xe2\x80\xa2   For a selection of months, inspected reconciliation of financial statements prepared by\n    Treasury to internally prepared financial statements and determined that reconciliations were\n    performed, any exceptions were resolved and they were reviewed by a supervisory accountant\n    before submission.\n\n\nNo exceptions noted.\n\n\n\n\n                                             47        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 8 - Accruals\n\nControls provide reasonable assurance that the period-end accruals are authorized, processed\ntimely, reviewed, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of accruals.\n\nCustomer Review of Revenue and Expense Accruals\nAccounting technicians record period-end accruals for goods and services provided/received, but\nnot billed/invoiced, in Oracle based on instruction provided from the Customer Agency.\n\nFor all Customer Agencies, except the Treasury Franchise Fund, accounting technicians record\nperiod-end accruals for goods and services provided, but not billed in the accounting system\nthrough standard accrual transactions.\n\nFor Treasury Franchise Fund Customer Agencies, accounting technicians record period-end\naccruals for goods and services provided but not billed in Oracle using an automated journal entry\nprocess. The amounts recorded are based on information provided by e-mail from the Customer\nAgency. Accounting technicians enter information received from the Customer Agency into a\nspreadsheet template. An accountant reviews the spreadsheet and converts it into a data file that\nis automatically loaded into Oracle and reviewed and approved by a supervisory accountant.\n\nNon-Invoice Accrual Reviews\nAccountants record non-invoice related expense accruals, such as workers' compensation and\nleave liability in Oracle. The workers' compensation accruals are based on historical trend\nanalysis and/or actual costs incurred. The leave liability accruals are based on data provided by\nthe Customer Agency's payroll provider or Human Resources office. For applicable Customer\nAgencies, the ARC payroll accountant processes payroll leave accrual entries using a batch\ninterface that posts summary payroll data to Oracle. For non-batch interfaced leave accruals, a\nsupervisory accountant reviews the accrued employee benefits to determine that the accrual is\nprocessed and posted.\n\nScorecard Review\nTreasury's monthly data scorecard verifies that certain non-invoice related expense accruals are\nrecorded on at least a quarterly basis. Supervisory accountants validate the quality of TIER data\nby reviewing an ARC accountant-prepared TIER Submission Checklist, which includes\nverification that non-invoice related expense accruals are posted at least quarterly. In order to\nmonitor the quality of the data submitted, supervisory accountants and managers review, as\nneeded, Treasury\xe2\x80\x99s monthly data quality scorecard.\n\nGeneral Ledger to Subledger Reconciliation\nOn a monthly basis, ARC accountants prepare a reconciliation of revenue and expense accrual\nbalances in the general ledger to the sub ledger detail, which is reviewed by a supervisor.\nAccountants reconcile only billed revenue accruals since unbilled revenue accruals are recorded\ndirectly in the general ledger. Any differences identified are corrected by an accounting\ntechnician or accountant in the subsequent accounting period.\n\n\n\n                                              48       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF-132)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nCSB. System settings are reviewed with the Customer Agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by Customer Agencies.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on revenue and\nexpense accruals processed through standard accrual transactions. ARC has developed and\nimplemented a standard document-numbering scheme to avoid duplicate document processing\nand to enable readers of ARC reports to better identify and/or determine the nature of transactions\nprocessed by ARC. When an ARC user attempts to enter a transaction identification number that\nalready exists, Oracle issues an error message that alerts the user of the duplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review open accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Approve and send revenue and expense accruals to ARC in a timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of accruals and observed ARC staff\n    processing accruals, and noted that the processing was in accordance with the procedures.\n\n\n\n                                               49       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of accruals, inspected documentation of Customer Agency authorization and\n    supervisory accountant review and determined that the accruals were authorized and reviewed\n    appropriately.\n\xe2\x80\xa2   For a selection of months, inspected non-invoice batch payroll leave accruals and determined\n    that the files were sent to ARC for processing and posting of summary payroll data to the core\n    accounting system.\n\xe2\x80\xa2   For a selection of quarters, inspected non-invoice non-batch leave accrual and determined that\n    a supervisory accountant reviewed the manually calculated leave accruals to ensure they were\n    properly calculated and input into Oracle.\n\xe2\x80\xa2   For a selection of months, inspected TIER Submission Checklists for evidence of ARC\n    supervisory review of TIER data and timeliness of submission and determined that\n    submissions had been reviewed.\n\xe2\x80\xa2   For a selection of months, inspected scorecard documentation and determined that the\n    scorecards were maintained for supervisory review if necessary.\n\xe2\x80\xa2   For a selection of months, inspected reconciliation of revenue and expense accrual balances in\n    the general ledger to the subledger detail and determined that reconciliations were performed\n    and that any exceptions were resolved.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              50       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 9 \xe2\x80\x93 Government-Wide Reporting\n\nControls provide reasonable assurance that Government-wide reporting is performed in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the preparation of government-wide\nreports.\n\nFACTS I & II\nARC policies require the submission of FACTS I and FACTS II reports based on FMS\xe2\x80\x99s criteria\nfor these applications. All reports must pass all FACTS edit checks. For non-Treasury Customer\nAgencies, except the Department of Homeland Security, supervisory accountants review all\nsubmissions prepared by accountants and review all data to ensure all reporting deadlines are met.\nAll fourth quarter FACTS II submissions require certification by an ARC supervisor or manager,\nor other designated Customer Agency representative.\n\nTIER\nTreasury reporting entities are required to submit financial accounting and budgetary data each\nmonth to TIER, Treasury\xe2\x80\x99s data warehouse within Treasury\xe2\x80\x99s submission timeline which is\ngenerally the third business day of the subsequent month. The Department of Homeland Security\nreporting entities are required to submit financial accounting and budgetary data each month to\nTIER, Homeland Security\xe2\x80\x99s data warehouse, within Homeland Security\xe2\x80\x99s submission timeline.\nTo meet this requirement, ARC performs the Oracle month-end close processes on the second\nbusiness day after the end of the month. Supervisory accountants validate the quality of TIER\ndata to ensure reporting deadlines are met by reviewing an accountant-prepared TIER Submission\nChecklist. The TIER Submission Checklist consists of internally and Treasury department\ndefined data quality standards. In order to monitor the quality of the data submitted, supervisory\naccountants and managers review, as needed, Treasury\xe2\x80\x99s monthly data quality scorecard.\n\nEFT and Prompt Payment\nARC follows the Treasury guidelines for the EFT and Prompt Payment reports for its customers.\nARC prepares these reports on a monthly basis. Supervisory accountants review these reports\nbefore submission. Treasury also requires that a Customer Agency representative sign the\nPrompt Payment reports.\n\nFinancial Statements\nARC accountants prepare a Balance Sheet, Statement of Net Cost and Statement of Budgetary\nResources for all Customer Agencies that are covered by the Chief Financial Officer Act and the\nAccountability of Tax Dollars Act of 2002. The statements are to be submitted each quarter to\nthe Director of the OMB and the Congress. Additionally, ARC accountants prepare the Statement\nof Changes in Net Position and Statement of Custodial Activity (when applicable) for all\nCustomer Agencies. ARC accountants compare TFM financial statement crosswalks to ARC\xe2\x80\x99s\ninternally prepared financial statements to ensure compliance with the reporting requirements.\nARC investigates and resolves any differences between TFM financial statement crosswalks and\nARC\xe2\x80\x99s internally prepared financial statements.\n\nFinancial Statement Review\nFor Department of Treasury and Department of Homeland Security Customer Agencies, quarterly\nfinancial statements are produced by departmental systems using the data submitted in TIER.\n\n                                              51       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cQuarterly consolidated financial statements are submitted to the Director of OMB and the\nCongress by the Department. ARC accountants compare the quarterly financial statements to\nARC\xe2\x80\x99s internally prepared financial statements, for supervisory review, and resolves any\ndifferences.\n\nFinancial Statement Variance Analysis\nFor both Department of Treasury and Department of Homeland Security Customer Agencies,\naccountants prepare a quarterly financial statement variance analysis. Explanations for variances\nthat exceed Department materiality thresholds must be provided to the Department. The\nDepartment submits a consolidated analysis to OMB. The bureau variance analysis is reviewed\nby an ARC supervisory accountant prior to submission to the Department.\n\nFor non-Treasury and non-Homeland Security Customer Agencies, accountants prepare a\nquarterly financial statement variance analysis for interim periods based on the guidance in OMB\nCircular A-136. Explanations for variances that exceed the OMB Circular A-136 guidelines are\nprovided to OMB with the quarterly financial statement submission. The variance analysis is\nreviewed by an ARC supervisory accountant prior to submission to OMB.\n\nReceivables\nARC accountants prepare and submit a quarterly Report on Receivables Due from the Public for\nall Customer Agencies. The report is reviewed by an ARC supervisory accountant prior to\nsubmission to Treasury.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review and approve, prior to submission, the financial reports prepared by ARC to ensure\n    that all reports prepared for external use are complete, accurate, and submitted in a timely\n    manner.\n\xe2\x80\xa2   Provide certification of FACTS II to ARC prior to ARC\xe2\x80\x99s FACTS II system certification.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures and determined that ARC had documented procedures for the\n    preparation of government-wide reports.\n\xe2\x80\xa2   For a selection of fourth quarter FACTS II submissions, inspected evidence of management\n    review and determined that they were reviewed and certified.\n\xe2\x80\xa2   For a selection of months, inspected TIER Submission Checklists for evidence of ARC\n    supervisory review of TIER data and timeliness of submission and determined that\n    submissions had been reviewed.\n\xe2\x80\xa2   For a selection of months, inspected scorecard documentation and determined that the\n    scorecards were maintained for supervisory review if necessary.\n\xe2\x80\xa2   For a selection of months, inspected EFT and Prompt Payment reports and determined that\n    they were reviewed by a supervisory accountant before submission.\n\n\n\n                                             52        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of months, inspected reconciliations of financial statements prepared by FARS\n    to internally prepared financial statements and determined that reconciliations were reviewed\n    and that any differences were resolved.\n\xe2\x80\xa2   For a selection of months, inspected reconciliation of financial statements prepared by FARS\n    to internally prepared financial statements and determined that reconciliations were\n    performed; any exceptions were resolved and were reviewed by a supervisory accountant\n    before submission.\n\xe2\x80\xa2   For a selection of quarters, inspected the Report on Receivables Due from the Public\n    reconciliations and determined that reconciliations were documented.\n\xe2\x80\xa2   For a selection of quarters, inspected Reports on Receivables Due from the Public and\n    determined that they were reviewed by an ARC supervisory accountant.\n\n\nNo exceptions noted.\n\n\n\n\n                                             53        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 10 \xe2\x80\x93 Administrative Spending\n\nControls provide reasonable assurance that administrative spending controls are reviewed,\nreconciled, and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures related to administrative spending controls.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the Customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF132)\n    \xe2\x80\xa2 Cost Center (Based upon the Customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the Customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the Customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated, and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\nBudget execution settings are determined by the Customer agency and set-up in Oracle by the\nCSB. System settings are reviewed with the Customer Agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by Customer Agencies.\n\nReconciliation \xe2\x80\x93 Budgetary and Proprietary Account Relationships\nARC accountants prepare budgetary to proprietary account relationship reconciliations on a\nmonthly basis, for supervisory review, to ensure complete general ledger account posting for all\nrecorded transactions. An accounting technician or an accountant corrects invalid out-of-balance\nrelationships.\n\nReconciliations \xe2\x80\x93 Fund Balance With Treasury (Activity and Balances)\nA Federal Agency\xe2\x80\x99s FBWT account assists the agency in monitoring use of budget authority.\nTreasury\xe2\x80\x99s FMS provides the following reports to inform agencies of their FBWT and to assist\nagencies in reconciling their general ledger balances to FMS balances:\n    \xe2\x80\xa2 Statement of Differences (Disbursements/Deposits) provides the net difference between\n        FMS\xe2\x80\x99s control totals and the agency\xe2\x80\x99s FMS 224 submission.\n    \xe2\x80\xa2 GWA Account Statement (Transactions) provides increases and decreases to balances,\n        detailed at the submitting ALC levels.\n    \xe2\x80\xa2 GWA Account Statement (Account Summary) provides beginning balance, current\n        month net activity and ending balance.\n\n                                               54       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cARC accountants reduce the probability of month-end differences relating to disbursements by\ncomparing preliminary FMS 224 disbursement data to month-to-date data obtained from\nCA$HLINK II, GWA TDO Payments, and IPAC systems. Any differences identified by the\naccountant are corrected by an accounting technician or another accountant prior to the close of\nthe accounting period.\n\nARC accountants perform Statement of Differences reconciliations, for supervisory review, as\nwell as reconciliations of GWA Account Statement balances to general ledger FBWT balances.\nIf differences are identified during the reconciliations, ARC accountants determine the cause of\nthe difference and the action, if any, that is needed to resolve the discrepancy. If the difference\nrequires correction, an entry is posted in the accounting system by an accounting technician or\nanother accountant.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Send valid requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Restrict Customer Agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected the written procedures related to administrative spending, inspect reconciliations,\n    and observed ARC staff process transactions and determined that processing was in\n    accordance with the procedures.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, were input into Oracle by CSB staff, and were reviewed\n    by a supervisor for completeness and accuracy.\n\xe2\x80\xa2   For a selection of months, inspected budgetary to proprietary account relationship\n    reconciliations and determined that reconciliations were performed and that any exceptions\n    were resolved.\n\xe2\x80\xa2   For a selection of months for a selection of Customer Agencies, inspected evidence and\n    determined that the accountants perform reconciliations, of GWA Account Statement\n    balances to general ledger FBWT balances and supervisory review was completed.\n\n\nNo exceptions noted.\n\n\n\n                                              55        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 11 \xe2\x80\x93 Budget\n\nControls provide reasonable assurance that budget entries are documented and processed in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of budget entries.\n\nBudget Documentation\nFor Customer Agency appropriations subject to annual enactment, ARC enters an appropriation\nbased on the amount approved in the annual appropriations process, as supported by the\nautomatic amount calculated during a continuing resolution (CR), the enacted appropriation\nlegislation, or Treasury documentation. ARC enters an apportionment in Oracle from the\nCustomer Agency's SF 132, Apportionment and Reapportionment Schedule. Upon receipt of the\nCustomer Agency's budget plan or reprogramming guidance, ARC allocates funding to the\nCustomer Agency's accounting values according to the detail provided by the customer.\n\nFor Customer Agency sources of funds that are not subject to the annual appropriations process,\nsuch as reimbursable or revolving accounts, ARC enters an appropriation and apportionment\nbased on the Customer Agency's SF 132 and recorded reimbursable activity for those accounts\nsubject to the apportionment process. ARC allocates funding to the Customer Agency's\naccounting values based on the Customer Agency's budget plan or recorded reimbursable activity.\n\nFor sources of funds not subject to both the annual appropriations process and the apportionment\nprocess, ARC enters an appropriation and apportionment at the fund level and allocates funding\nto the Customer Agency's accounting values based on the Customer Agency's budget plan,\nrecorded reimbursable activity, or reprogramming guidance.\n\nBudget Execution System Controls\nCustomer Agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n\n    \xe2\x80\xa2   Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2   Apportionment (Based upon the apportionment schedule on the SF132)\n    \xe2\x80\xa2   Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2   Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2   Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2   Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. System controls are\ndesigned to prevent the user from apportioning more than was appropriated and allocating more\nthan was apportioned. Decisions on control settings that permit or prevent spending beyond other\nbudget plan levels are determined by the Customer Agency. System controls are applied at the\nfund level after passage of appropriation legislation and a high-level budget is loaded at the\nallocation level. Upon receipt and input of a detailed financial plan, controls are established at a\nmore detailed level if desired by the Customer Agency.\n\n\n\n                                               56       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cBudget execution settings are determined by the Customer Agency and set-up in Oracle by the\nBusiness Technology Division\xe2\x80\x99s Customer Service Branch (CSB). System settings are reviewed\nwith the Customer Agency on an annual basis. Budget plans are input into Oracle by ARC staff,\nbased upon budget plans provided by Customer Agencies.\n\nReconciliation \xe2\x80\x93 Budgetary and Proprietary Account Relationships\nARC accountants prepare budgetary to proprietary account relationship reconciliations on a\nmonthly basis, for supervisory review, to ensure complete general ledger account posting for all\nrecorded transactions. An accounting technician or an accountant corrects invalid out-of-balance\nrelationships.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury\nA Federal Agency\xe2\x80\x99s FBWT assists the agency in monitoring budget authority. Treasury\xe2\x80\x99s FMS\nprovides the following reports to inform agencies of their FBWT and to assist agencies in\nreconciling their general ledger balances to FMS balances:\n\n    \xe2\x80\xa2   GWA Account Statement (Transactions) provides increases and decreases to balances,\n        detailed at the submitting ALC levels.\n    \xe2\x80\xa2   GWA Account Statement (Account Summary) provides beginning balance, current\n        month net activity and ending balance.\n\nARC accountants perform reconciliations, for supervisory review, of GWA Account Statement\nbalances to general ledger FBWT balances.            If differences are identified during the\nreconciliations, ARC accountants determine the cause of the difference and the action, if any, that\nis needed to resolve the discrepancy. If the difference requires correction, an entry is posted in\nthe accounting system by an accounting technician, another accountant or a budget analyst.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on budget documents.\nARC has developed and implemented a standard document-numbering scheme to avoid duplicate\ndocument processing and to enable readers of ARC reports to better identify and/or determine the\nnature of transactions processed by ARC. When an ARC user attempts to enter a transaction\nidentification number that already exists, Oracle issues an error message that alerts the user of the\nduplication.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that budget entries are complete and\n    accurate.\n\xe2\x80\xa2   Send approved budget plans to ARC in a timely manner.\n\xe2\x80\xa2   Communicate Customer Agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Communicate OMB apportionment status to ARC.\n\xe2\x80\xa2   Monitor usage of budget authority during periods of operation under a Continuing Resolution\n    to ensure that OMB directed apportionment limits are not exceeded.\n\n\n\n\n                                               57        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for budget entries and determined that they were consistent with\n    the control description.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence and determined that for the year\n    they specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   For a selection of months, inspected monthly general ledger account reconciliations and\n    determined that reconciliations were performed, any exceptions were resolved and the\n    recompilation was reviewed by a supervisor.\n\xe2\x80\xa2   For a selection of months and Customer Agencies, inspected evidence and determined that the\n    accountants performed reconciliations of GWA Account Statement balances to general ledger\n    FBWT balances and supervisory review was completed.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                             58        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 12 \xe2\x80\x93 Manual Journal Entries\n\nControls provide reasonable assurance that manual journal entries are authorized.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of manual journal entries.\n\nJournal Entry Approval\nA user\xe2\x80\x99s profile in Oracle determines whether or not the user can prepare and/or approve a\nmanual journal entry. Oracle system controls require that all manual journal entries be routed to\nan approver. Once a user has entered a journal entry, Oracle automatically routes the journal\nentry to an authorized approver's queue.\n\nDocument Numbering\nOracle assigns all manual journal entries a specific journal category and journal source and ARC\nfollows a standard document numbering scheme. Documentation supporting the journal entry\naccompanies each request for approval. The approver compares the documentation to Oracle and\napproves the journal entry.\n\nComplementary Customer Agency Controls\n\n\xe2\x80\xa2   Send valid and approved requests to record manual journal entries to ARC in a timely\n    manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to submit manual journal\n    entries that are initiated by the Customer Agency.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of manual journal entries and determined that\n    procedures were documented.\n\xe2\x80\xa2   Inspected the list of Oracle users with the ability to create manual journal entries and\n    determined that they were assigned a supervisor in Oracle and would be subject to the\n    automated approval work flow.\n\xe2\x80\xa2   Inspected the list of Oracle users with the ability to approve manual journal entries and the list\n    of users with the ability to enter manual journal entries and determined that users without a\n    specified supervisor did not have the ability to enter a manual journal entry.\n\xe2\x80\xa2   For a selection of journal entries, inspected hardcopy supporting documentation and related\n    Oracle journal entries and determined that the manual journal entries had proper hardcopy\n    documentation and were authorized.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n                                                59        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cControl Objective 13 - Federal Investments\n\nControls provide reasonable assurance that Federal investments are authorized, reviewed,\nprocessed timely, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the authorization, review, processing,\nreconciliation, and documentation of Federal investments.\n\nARC accountants process purchases of Federal investments in accordance with Customer Agency\ninstruction. Instructions include the type and amount of securities to be purchased or the amount\nof residual cash to be retained. An independent accountant reviews investment purchases.\n\nAll investment activity is recorded in general ledger through a daily interface between the Federal\nInvestment System (FedInvest), a subsystem of the Government Agency Investment Services\nSystem, and Oracle. Accountants reconcile investment general ledger accounts to the FedInvest\napplication on a monthly basis to ensure all investment activity has been properly recorded. A\nsupervisor reviews investment account reconciliations.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of federal investments and determined that\n    policies were documented to ensure that Federal investments were authorized, reviewed,\n    processed timely, reconciled and properly documented.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected investment instructions and determined that\n    they were provided to ARC and defined the investment objectives for the agencies.\n\xe2\x80\xa2   For a selection of investment purchases, inspected evidence and determined that an\n    independent accountant reviewed the purchases.\n\xe2\x80\xa2   For a selection of months for a selection of Customer Agencies inspected evidence and\n    determined that the accountants reconciled investment general ledger accounts to the\n    FedInvest application in a timely manner.\n\n\nNo exceptions noted.\n\n\n\n\n                                              60        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 14 \xe2\x80\x93 Suppliers and Banks Record Changes\n\nControls provide reasonable assurance that changes made to Suppliers and Banks records require\nappropriate system access and the changes are reviewed, approved, and documented in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures related to Suppliers and Banks record changes for staff to\nfollow.\n\nSegregation of Duties \xe2\x80\x93 Changes to Suppliers and Banks Records\nUser profiles set by Oracle system administrators, as authorized by the user\xe2\x80\x99s supervisor or\nmanager, ensure that only authorized Central Accounting Branch (CAB) employees are able to\nmake changes to Suppliers and Banks records. Authorized employees who have Suppliers and\nBanks record change privileges do not have authorization to approve vendor payments in the\naccounting systems allowing for proper segregation of duties.\n\nChanges to Suppliers and Banks records that include taxpayer identification number, address, or\nbank routing/account number require:\n\n\xe2\x80\xa2   A source document (Central Contractor Registration (CCR) database or a document supplied\n    by a vendor or customer, when CCR is not applicable, - i.e., grants and loans, payroll\n    database, and/or e-mail, etc. ), and\n\xe2\x80\xa2   Independent review.\n\nReview \xe2\x80\x93 Changes to Suppliers and Banks Records\nAuthorized employees review and process changes to Suppliers and Banks records and maintain\nthe supporting source documentation as described above.\n\nA reviewing employee compares changes to Suppliers and Banks records from the Oracle system\nto the change request documents and initials the audit report indicating review. The reviewing\nemployee does not have access to make changes to Suppliers and Banks records in Oracle.\nTherefore, if errors were made, the reviewing employee would provide a copy of the source\ndocument to an authorized employee for correction and subsequent review.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures and determined that ARC had documented procedures for\n    Suppliers and Banks record changes.\n\xe2\x80\xa2   Inspected a list of users with access to update, modify, or delete Suppliers and Banks records\n    and determined that users had the appropriate privileges.\n\xe2\x80\xa2   Inspected a list of users with access to process vendor payments and determined that users\n    had the appropriate privileges.\n\xe2\x80\xa2   For a selection of changes to Suppliers and Banks records, inspected the reviewed report\n    signed by the reviewing employee and determined that the Suppliers and Banks record\n    changes were reviewed and approved.\nNo exceptions noted.\n                                              61       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cPROCUREMENT PROCESSING CONTROLS\n\nControl Objective 15 \xe2\x80\x93 Acquisitions and Contracts\n\nControls provide reasonable assurance that acquisitions are compliant with Federal laws,\nregulations and policies.\n\nDescription of Controls\n\nAll simplified acquisitions, commercial item contracts and Uniform Contract Format contract\nfiles contain a checklist of file contents, which is completed by a Contract Specialist. A\nstandardized contract file format is also maintained. The checklist and file contents are reviewed\nby a warranted Contracting Officer, as evidenced by their signature on the award document, to\nensure adequacy of documentation and compliance with laws, regulations and policies.\nContracting Officers are warranted by Treasury for certain dollar limits based on experience and\ntraining.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected a selection of simplified acquisitions, commercial item contracts, and Uniform\n    Contracts and determined that a standard format was used and each included a checklist.\n\xe2\x80\xa2   For a selection of simplified acquisitions, commercial item contracts, and Uniform Contracts,\n    inspected the checklists and determined that the documentation was reviewed by a Warranted\n    Contracting Officer.\n\xe2\x80\xa2   Inspected the Contracting Officers\xe2\x80\x99 authorization levels in PRISM and determined that\n    Warranted Contracting Officers had specified dollar limits.\n\n\nNo exceptions noted.\n\n\n\n\n                                              62       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 16 \xe2\x80\x93 Sufficiently Funded Requisitions\n\nControls provide reasonable assurance that contract obligations are supported by approved\nrequisitions.\n\nDescription of Controls\n\nA Contract Specialist or Contracting officer ensures that each acquisition file is supported by a\nsufficiently funded requisition. Requisitions are approved by program officials through the\nPRISM system. Approval specifies that funds are available at the time of the requisition and are\nthen reserved for this purchase through a commitment. Approving officials are granted dollar\nthreshold approval rights by the Customer Agency. These thresholds are maintained in the\nPRISM system.\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish a control to:\n\n\xe2\x80\xa2   Ensure that approving officials are granted appropriate dollar threshold approval rights and\n    develop a mechanism to review the set-up of the dollar thresholds on a regular basis.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected a selection of acquisitions and evidence from PRISM and determined that the\n    requisitions were approved by program officials through the PRISM system.\n\xe2\x80\xa2   Inspected the approval limits in the PRISM system and determined that the use of the\n    approval limits in PRISM were configured properly.\n\n\nNo exceptions noted.\n\n\n\n\n                                             63        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cGENERAL COMPUTER CONTROLS\n\nControl Objective 17 \xe2\x80\x93 System Access\n\nControls provide reasonable assurance that systems are protected from unauthorized access in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC follows BPD policies and procedures that were developed, documented, disseminated, and\nthat are periodically reviewed and updated to facilitate the implementation of logical access\ncontrols. Additionally, procedures specific to Oracle, PRISM, webTA, GovTrip, and moveLINQ\nhave been documented. The logical access controls are based on Treasury and BPD policies and\nstandards (Treasury Information Technology Security Program TDP-85-01 Volume I), which, in\nturn, are based on the applicable Federal laws and regulations. These controls are the system-\nbased mechanisms that are used to specify which individuals and/or processes are to have access\nto a specific system resource and the type of access that is to be permitted. These controls limit\nuser access to information and restrict their system access to their designated level.\n\nOracle\nAccess to Oracle is restricted to users with a valid logon ID and password. Oracle\nlogons/sessions are encrypted to protect the information, making it unintelligible to all but the\nintended users. Sessions are protected using 128-bit Secure Sockets Layer (SSL) encryption.\nProspective Oracle users must complete, sign and submit an approved Administrative Resource\nCenter System Access Form for End User Applications to request access to Oracle. The end\nuser\xe2\x80\x99s signature indicates that they are familiar with the Privacy Act information and security\nrequirements and will comply with computer security requirements established by BPD and\nARC. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in Oracle. Changes to existing user profiles require an e-mail to be sent to the\nOracle Support Team mailbox by an authorized individual requesting the change, and defining\nwhat access should be added/deleted/changed. In order to remove a user\xe2\x80\x99s access, Customer\nAgencies submit a request for account termination. At that time, the Oracle user account is end-\ndated in the system to remove their access. Additionally, each day the Oracle Support Team\ngenerates and reviews a list of Oracle user accounts that have been inactive for 80 days. An e-\nmail is sent to the user warning them that their account will be end-dated if they maintain an\ninactive status for 90 days. After 90 days of inactivity, the user\xe2\x80\x99s account will be end-dated.\nAnnually, the ARC sends out a list of system users to each Customer Agency for review. The\nOracle Support Team updates the permissions for users based on the responses received from the\nCustomer Agencies.\n\nOracle uses a multi-org functionality to strengthen security within the application. Each\nCustomer Agency is configured as an operating unit in Oracle. When a new responsibility is\ncreated by the system administrators, it is mapped to a specific operating unit by a system profile\noption. The multi-org functionality helps ensure that a user assigned to a responsibility (which in\nturn is mapped to an operating unit) can only see or enter data for that customer (or operating\nunit). Oracle also provides a value set security feature, assigned to a responsibility, which further\ncontrols new data entry in the operating unit by limiting the list of values (LOV) for the\naccounting flexfield to those values specific to the customer (or operating unit).\n\nOnly the SYSADMIN account controlled by Oracle on Demand are assigned the System\nAdministrator responsibility in the Oracle application. CSB and QCB staff are assigned\nApplication Administrator responsibility in the Oracle application. The employees with the\n\n                                               64        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cApplication Administrator responsibility have limited access to perform operational functions in\nOracle, specifically limited to the month-end closing, during customer conversions (as directed by\nthe functional teams) or emergency situations that can be approved by a supervisor or manager\nafter the fact. Additionally, the individuals with Oracle Application Administrator privileges\nperform multiple functions, including that of the Oracle Support team members. As a result,\nthese individuals periodically require temporary access privileges of a functional user in order to\naddress user inquiries. An edit check prevents an Oracle Application Administrator from adding\nor removing any responsibilities from their own user ID.\n\nThe CSB/QCB/ Project and Technical Services Branch (PTSB) managers can be assigned the\nApplication Administrator responsibility in situations where the manager deems the access is\nrequired. This responsibility is granted on a temporary basis with the proper request and approval\nand will be end-dated once the access is no longer necessary.\n\nAdministrative access to the underlying Oracle servers and databases is limited to Oracle on\nDemand server and database administrators and specific BTD employees.\n\nUser Identifications (IDs) are assigned to BPD employees consistent with their network logon ID.\nUser IDs for Customer Agency staff are assigned by an ARC system administrator. A temporary\npassword is assigned to all users by calling the Oracle Support Team. Oracle Support Team\npersonnel are responsible for verifying the caller\xe2\x80\x99s identity. Once the user logs onto the\naccounting system, they must establish their own unique password. An Oracle user\xe2\x80\x99s password\nmust meet unique password configuration, password complexity and password expiration criteria\nto ensure strong password security.\n\nOracle access attempt logs are reviewed daily by the PRISM Support Team to identify if users\nattempted to unsuccessfully access the system five or more times in the day. When five or more\nunsuccessful access attempts were made, an e-mail is sent to the user indicating that the access\nattempts were noted and requesting that the user notify ARC if the attempts were not made by the\nuser.\n\nPRISM\nAccess to PRISM is restricted to users with a valid logon ID and password. PRISM\nlogons/sessions are encrypted to protect the information, making it unintelligible to all but the\nintended users. Sessions are protected using 128-bit SSL encryption. Prospective PRISM users\nmust complete, sign, and submit an approved Administrative Resource Center System Access\nForm for End User Applications to request access to PRISM. The end user\xe2\x80\x99s signature indicates\nthat they are familiar with the Privacy Act information and security requirements and will comply\nwith computer security requirements established by BPD and ARC. The form defines the user\xe2\x80\x99s\naccess specifications, which will allow the user to perform his/her duties in PRISM. Changes to\nexisting user profiles require an e-mail to be sent to the PRISM Support Team mailbox by an\nauthorized individual at the Customer Agency, requesting the change, and defining what access\nshould be added/deleted/changed. In order to remove a user\xe2\x80\x99s access, Customer Agencies submit\na request for account termination. At that time, the PRISM user is end-dated in the system to\nremove their access. Additionally, each day the Oracle Support Team generates and reviews a\nlist of PRISM user accounts that have been inactive for 80 days. An e-mail is sent to the user\nwarning them that their account will be end-dated if they maintain an inactive status for 90 days.\nAfter 90 days of inactivity, the user\xe2\x80\x99s account will be end-dated. Annually, the ARC sends out a\nlist of users to each Customer Agency for review. Included for review are requisitioner and buyer\napproval limits by user. The PRISM Support Team updates the access according to the responses\nreceived from the Customer Agencies.\n\n\n                                              65        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cUser access within PRISM is further limited by only allowing users to approve the addition or\nmodification of records to the operating units they have been assigned in Oracle. PRISM utilizes\nthe existing security features and functionality of Oracle. For example, new users are setup in\nOracle and assigned appropriate PRISM responsibilities. Within Oracle, the responsibilities are\nmapped to PRISM security groups. The user and security groups then flow to PRISM. Within\nthe PRISM application, users are assigned additional responsibilities as authorized on the access\nform.\n\nUpdates to a user\xe2\x80\x99s PRISM responsibilities are audited by independent employees within CSB.\nThe changes to functional access privileges are reviewed and compared to the changes to the\nBTD\xe2\x80\x99s Team Responsibilities matrix to determine whether or not the access privileges are\nappropriate. Follow up is performed to validate the addition of any privileges that are not on the\nBTD\xe2\x80\x99s Team Responsibilities matrix.\n\nThe System Administrator responsibility in PRISM is limited to certain employees requiring the\naccess for the performance of job duties. Administrative access to the underlying PRISM servers\nand databases is limited to Oracle on Demand server and database administrators and specific\nBTD employees.\n\nUser IDs are assigned to BPD employees consistent with their network logon ID. User IDs for\nCustomer Agency staff who utilize PRISM are assigned by an ARC system administrator. A\ntemporary password is assigned to all users by calling the PRISM Support Team. PRISM\nSupport Team personnel are responsible for verifying the caller\xe2\x80\x99s identity prior to establishing the\nuser\xe2\x80\x99s password. Once the user logs onto the system, they must establish their own unique\npassword. A user\xe2\x80\x99s password must meet unique password configuration, password complexity\nand password expiration criteria to ensure strong password security.\n\nPRISM access attempt logs are reviewed daily by the Oracle Support Team to identify if users\nattempted to unsuccessfully access the system five or more times in the day. When five or more\nunsuccessful access attempts were made, an e-mail is sent to the user indicating that the access\nattempts were noted and requesting that the user notify ARC if the attempts were not made by the\nuser.\n\nwebTA1\nAccess to webTA is restricted to users with a valid logon ID and password. Access to webTA is\nprovided using 128-bit SSL encryption. All personnel require access to webTA in order to\ncomplete time and attendance submission. Users granted standard employee access privileges are\nnot required to submit an access form. However, users that require elevated access privileges\n(e.g., timekeeper, supervisor) are added to the webTA system following receipt of a supervisor-\napproved Administrative Resource Center System Access Form for End User Applications. The\nend user\xe2\x80\x99s signature indicates they are familiar with the Privacy Act information and security\nrequirements and will comply with computer security rules. The form defines the user\xe2\x80\x99s access\nspecifications, which will allow the user to perform his/her duties in webTA. Changes to existing\nuser profiles require a new access form to be submitted by the Customer Agency. Upon receipt\nof an Administrative Resource Center System Access Form for End User Applications requesting\nthe deletion of a webTA user or upon receipt of a timesheet coded as \xe2\x80\x9cFinal,\xe2\x80\x9d an HR\nAdministrator in PLSB removes the assigned responsibilities. Annually, an HR Administrator\nsends out a list of timekeepers and supervisors to each Customer Agency for the agency to use in\nperforming a periodic review of access. The list is limited to those timekeepers and supervisors\nwho are not currently responsible for validating or approving time for an active employee at the\n\n\n1\n    The scope of the description of webTA controls applies only to full service webTA customers.\n                                                    66        Control Objectives, Related Controls, and\n                                                                       Tests of Operating Effectiveness\n\x0cCustomer Agency. The review ensures that these employees who do not currently validate or\napprove time on a regular basis still require their role as a timekeeper or supervisor.\n\nUser access within webTA is further limited by the role the user is assigned in the system (i.e.,\nEmployee, Timekeeper, Supervisor, etc.). The System Administrator and HR Administrator roles\nin webTA are limited to certain employees, ensuring no one serves in both administrator roles.\nPeriodically, there is a need for the System Administrator to research a problem in a production\ninstance using an HR Role. When such an event arises, the System Administrator can be\ntemporarily granted HR specific roles with supervisor approval. Administrative access to the\nunderlying webTA servers and databases is limited to server and database administrators within\nthe OIT.\n\nAn HR Administrator assigns user IDs to BPD employees consistent with their network logon ID.\nUser IDs for Customer Agency staff who utilize webTA as timekeepers or supervisors are also\nassigned by an HR Administrator. An HR Administrator also assigns a temporary password to\nusers by an e-mail. Once the user logs onto the system, they must establish their own unique\npassword. A user\xe2\x80\x99s password must meet unique password configuration, password complexity\nand password expiration criteria to ensure strong password security.\n\nGovTrip\nAccess to GovTrip is restricted to users with a valid logon ID and password. All users must\ncomplete the self-registration process. An account token will be forwarded to the user by the TSD\nhelpdesk after the self-registration information is verified for the user to activate their account.\nBudget Reviewers and Approving Officials must complete, sign, and submit an approved\nAdministrative Resource Center Online Applications Access Request or have an approving\nofficial or agency travel contact authorize access via e-mail. The end user\xe2\x80\x99s signature indicates\nthey are familiar with the Privacy Act information, security requirements, and will comply with\ncomputer security requirements established by BPD and ARC. The form defines the user\xe2\x80\x99s\naccess specifications, which will allow the user to perform his/her duties in GovTrip. Changes to\na user\xe2\x80\x99s identification (i.e., name change) or to the user\xe2\x80\x99s role in GovTrip require an\nAdministrative Resource Center Online Applications Access Request to be resubmitted or an e-\nmail from the user copying his/her approving official or agency travel contact. Upon receipt of\nan Exit Clearance form or e-mail request, GovTrip access permissions are set to indicate that the\nuser has terminated, by changing the user\xe2\x80\x99s organization level to a suspense level. Additionally,\nthe user ID is reset so that the user will no longer have access to utilize the account. On an annual\nbasis GovTrip user accounts are reviewed by Customer Agency Travel Contacts. TSD staff\ncreates reports of GovTrip users and distribute the reports to Customer Agency Travel for review\nand verification of the accounts.\n\nGovTrip has user access levels that separate permissions from highest to lowest into these\ncategories:\n    \xe2\x80\xa2 System administrators (NGMS only)\n    \xe2\x80\xa2 Application administrators; Designated TDSB staff\n    \xe2\x80\xa2 Application administrators; Customer Service Help Desk Tier 2, Designated TDSB staff\n    \xe2\x80\xa2 Customer Service Help Desk Tier 1, Designated TDSB Staff\n    \xe2\x80\xa2 Approving Officials and Budget Reviewers\n    \xe2\x80\xa2 User; Traveler and Document Preparer\n    \xe2\x80\xa2 Terminated Users; Invitational Travelers\n\nAccess privileges are granted in accordance with the concept of least privilege required.\n\n\n\n                                               67        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cUsers must establish their own unique GovTrip password. A user\xe2\x80\x99s password must meet unique\npassword configuration, password complexity and password expiration criteria to ensure strong\npassword security.\n\nmoveLINQ\nAccess to moveLINQ is restricted to authorized TSD users with a valid logon ID and password.\nThe process for requesting, establishing, issuing, and closing user accounts is controlled through\nthe use of the moveLINQ Online Application Access Request Form which requires supervisor\napproval. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in moveLINQ. Changes to a user\xe2\x80\x99s identification (i.e., name change) or to the\nuser\xe2\x80\x99s role in moveLINQ also require a moveLINQ Online Application Access Request Form or\ne-mail from the user\xe2\x80\x99s supervisor or manager. The user access list is reviewed by management\nevery time a change is made or six months from the last review, whichever is longer.\n\nUser IDs are assigned to authorized TSD employees consistent with their network logon ID. A\ntemporary password is assigned to moveLINQ users in person or by phone. Once the user logs\nonto moveLINQ, they must establish their own unique password which is encrypted. A user\xe2\x80\x99s\npassword must meet unique password configuration, password complexity and password\nexpiration criteria to ensure strong password security.\n\nmoveLINQ has user access roles that separate permissions from highest to lowest into these\ncategories:\n    \xe2\x80\xa2 Administrator\n    \xe2\x80\xa2 SAR (Non-Admin)\n    \xe2\x80\xa2 AUTH TSD Management (2 levels)\n    \xe2\x80\xa2 Relocation Coordinator Level 1\n    \xe2\x80\xa2 Relocation Coordinator Level 2\n    \xe2\x80\xa2 Tech \xe2\x80\x93 RITA Only\n    \xe2\x80\xa2 Special OA\n    \xe2\x80\xa2 Tech (3 levels)\n    \xe2\x80\xa2 Viewer\n\nAccess privileges are granted in accordance with the concept of least privilege required.\n\nSee Control Objective 19 for further discussion of the physical access control process.\n\n\nComplementary Customer Agency Controls\n\nCustomer Agencies should establish controls to:\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Ensure exiting employee timecards are coded \xe2\x80\x9cFinal\xe2\x80\x9d as this will help ensure that HR staff\n    deactivate the employee\xe2\x80\x99s webTA access.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected the Treasury Information Technology Security Program TDP-85-01 Volumes I and\n    II and determined that security policies and procedures were documented.\n\n                                              68        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected ORACLE user account management procedures and password procedures and\n    determined that the security policies and procedures were documented for Oracle.\n\xe2\x80\xa2   Inspected PRISM user account management procedures and password procedures and\n    determined that security policies and procedures were documented for PRISM.\n\xe2\x80\xa2   Inspected webTA user account management procedures and password procedures and\n    determined that security policies and procedures were documented for webTA.\n\xe2\x80\xa2   Inspected GovTrip user account management procedures and password procedures and\n    determined that security policies and procedures were documented for GovTrip.\n\xe2\x80\xa2   Inspected MoveLINQ user account management procedures and password procedures and\n    determined that security policies and procedures were documented for MoveLINQ.\n\xe2\x80\xa2   Inspected screen prints of a logon session and determined that the Oracle users required a\n    valid login ID and password and that logins/sessions were encrypted with 128-bit SSL\n    encryption.\n\xe2\x80\xa2   For a selection of new Oracle users, inspected user access request forms and determined that\n    the forms were completed, access was authorized, and contained employees\xe2\x80\x99 signature to\n    denote that they understood the privacy act requirements.\n\xe2\x80\xa2   For a selection of changes to Oracle user profiles, inspected authorizing documentation and\n    determined that updates to access rights were authorized.\n\xe2\x80\xa2   Inspected a selection of requests for termination of Customer Agencies employees\xe2\x80\x99 Oracle\n    access and evidence of when the account was end dated in the Oracle system and determined\n    that requests for termination of access from Customer Agencies were competed in a timely\n    manner.\n\xe2\x80\xa2   From the selection of inactive Oracle user account reviews, inspected evidence and\n    determined that the accounts inactive for 90 or more were properly removed from the system.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence of the annual Oracle user access\n    review and determined that the annual reviews were performed.\n\xe2\x80\xa2   Inspected the list of user accounts and access in Oracle and determined that that each user\xe2\x80\x99s\n    access was restricted to distinct operating units or Customer Agencies.\n\xe2\x80\xa2   Inspected the list of Application Administrators and corresponding roles to determined that\n    the Application Administrator responsibility was limited to CSB and QCB staff.\n\xe2\x80\xa2   Inspected a screenshot of an Oracle System Administrator attempt to add responsibilities to\n    their user ID, and determined that System Administrators could not add responsibilities to\n    their user IDs.\n\xe2\x80\xa2   For a selection of occurrences, inspected documentation authorizing the use of temporary\n    Oracle Administrator Access and determined that the access was documented and approved,\n    and revoked when no longer needed.\n\xe2\x80\xa2   Inspected the Oracle on Demand contract and determined that a contract was in place for the\n    hosting and management of Oracle servers.\n\xe2\x80\xa2   Inspected the Oracle user list and determined that the accounts appeared to follow the naming\n    convention.\n\xe2\x80\xa2   Inspected Oracle user account management procedures and determined that upon initial login,\n    new accounts must establish a new password.\n\n\n                                               69       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected Oracle profile options and determined that the Oracle accounts were configured to\n    be locked-out after 30 minutes of inactivity.\n\xe2\x80\xa2   Inspected Oracle profile options, and determined that failed logins, password complexity,\n    generation, and length requirements were configured in accordance with ARC password\n    standards.\n\xe2\x80\xa2   For a selection of Oracle system administrators and users, observed the password lifespan\n    days established for the individual users and noted that they were configured in accordance\n    with ARC password standards.\n\xe2\x80\xa2   For a selection of dates, inspected Oracle violation logs and evidence of review and\n    determined that violations logs were reviewed.\n\xe2\x80\xa2   Inspected a screen print of a logon session and determined that user ID and Password were\n    required and that PRISM logins/sessions were encrypted with 128-bit SSL encryption.\n\xe2\x80\xa2   For a selection of new PRISM users, inspected user access request forms and determined that\n    the forms were completed and access was authorized.\n\xe2\x80\xa2   For a selection of changes to PRISM user accounts, inspected authorizing documentation and\n    determined that updates to the accounts were authorized.\n\xe2\x80\xa2   Inspected a list of separated BPD employees and a list of PRISM users and determined that\n    separated BPD employees did not retain access to the PRISM.\n\xe2\x80\xa2   For a selection of days, inspected the inactive reviews and determined that the reviews were\n    performed on a daily basis.\n\xe2\x80\xa2   For a selection of agencies, inspected evidence of the annual PRISM user access review and\n    determined that annual reviews were performed.\n\xe2\x80\xa2   Observed and inspected a screenshot of the production PRISM system for a user and\n    determined that the system was configured as defined in the control and in the New User\n    Setup document.\n\xe2\x80\xa2   Inspected a selection of modified PRISM access reviews and determined that they were\n    reviewed by an independent reviewer.\n\xe2\x80\xa2   Inspected the PRISM user list and determined that accounts appeared to follow the naming\n    convention, using first initial, a second initial if necessary, and a last name.\n\xe2\x80\xa2   Observed the Prism Support Team member creating a new account in the PRISM system and\n    noted that upon first login the user was immediately directed to reset their password.\n\xe2\x80\xa2   Inspected PRISM password settings and determined that failed logins, password complexity,\n    aging, generation, and length requirements were configured in accordance with ARC\n    password standards.\n\xe2\x80\xa2   Inspected PRISM configuration settings and determined that the PRISM sessions were\n    configured to time-out if they remained inactive for 30 minutes.\n\xe2\x80\xa2   For a selection of dates, inspected PRISM violation logs and evidence of review and\n    determined that violations logs were reviewed.\n\xe2\x80\xa2   Observed a logon session and noted that webTA logins/sessions required user name and\n    password.\n\xe2\x80\xa2   Observed a user log into webTA and noted that connections to webTA were encrypted\n    utilizing 128-bit SSL encryption.\n\n                                              70        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of new webTA users with elevated privileges, inspected user access request\n    forms and determined that the forms were completed and access was authorized.\n\xe2\x80\xa2   For a selection of changes to webTA user profiles, inspected authorizing documentation and\n    determined that updates to the accounts were authorized.\n\xe2\x80\xa2   Inspected a list of separated BPD employees and a list of webTA users and determined that\n    the separated BPD employees did not retain access to the webTA application, server, or\n    database, with the following exception noted:\n            o   One of fifteen selected separated BPD employees retained access to the webTA\n                application following termination.\n\n                Remediation efforts were performed by ARC. ARC management stated that this\n                condition was caused by an error when removing the individual\xe2\x80\x99s account from\n                the webTA instances. The account had not been accessed since January 3, 2011\n                and a hot fix was applied to remove this account on June 23, 2011. Inspected the\n                user listing for webTA and noted the account was removed.\n\xe2\x80\xa2   For a selection of Customer Agencies, inspected evidence of distribution of a list of webTA\n    supervisors and timekeepers for annual user account review by the Customer Agency and\n    determined that annual reviews of access were completed.\n\xe2\x80\xa2   Inspected the BPD user privileges within webTA and determined that users were assigned in\n    a role based security configuration.\n\xe2\x80\xa2   Inspected the webTA user privileges for a selection of Customer Agencies and determined\n    that users were assigned in a role based security configuration, and if users assigned HR\n    Administrator did not have Administrator Access.\n\xe2\x80\xa2   Inspected the webTA user privileges for a selection of Customer Agencies and the BPD group\n    and the BTD phone list and determined that users with Administrator access were restricted to\n    employees in the BTD group.\n\xe2\x80\xa2   Observed webTA for an initial login and noted that the user was required to create a new\n    password at first login.\n\xe2\x80\xa2   Inspected webTA password settings and determined that failed logins, password complexity,\n    aging, generation, and length requirements were configured in accordance with ARC\n    password standards.\n\xe2\x80\xa2   Inspected webTA configuration settings and determined that webTA sessions were\n    configured to time-out if they remained inactive for 10 minutes.\n\xe2\x80\xa2   Observed a user access the GovTrip system and noted that a user needed to be authenticated\n    prior to accessing the system.\n\xe2\x80\xa2   For a selection of new GovTrip users, inspected user access request forms or e-mails and\n    determined that the forms or e-mails were completed and access was authorized.\n\xe2\x80\xa2   For a selection of changes to GovTrip users, inspected authorizing documentation and\n    determined that access changes were documented and access was authorized.\n\xe2\x80\xa2   Inspected a list of separated BPD employees and a list of GovTrip users, and determined that\n    the separated BPD employees did not retain access to the GovTrip application.\n\xe2\x80\xa2   Inspected evidence of distribution of GovTrip user lists for review and determined that user\n    account lists were distributed on an annual basis for review.\n\n\n                                              71        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected the user privileges with GovTrip and determined that users were assigned in a role\n    based security configuration from highest to lowest.\n\xe2\x80\xa2   Observed a GovTrip user attempt to change their password to a invalid setting and noted that\n    the system automatically prevented the use of password that did not confirm to the\n    requirements.\n\xe2\x80\xa2   Observed a moveLINQ user login to the web based system and noted that they were required\n    to enter a user id and password.\n\xe2\x80\xa2   Inspected a selection of reviewed moveLINQ user access lists and determined that the review\n    of access was performed.\n\xe2\x80\xa2   Inspected documentation for a selection of added moveLINQ users and determined that the\n    requests were documented and approved.\n\xe2\x80\xa2   Inspected a selection of moveLINQ modification requests and determined that the requests\n    were documented and approved.\n\xe2\x80\xa2   Inspected a selection of moveLINQ termination requests and determined that the removal of\n    access was documented and performed.\n\xe2\x80\xa2   Inspected the list of ARC separations and the active list of movLINQ accounts and\n    determined there were no accounts of terminated BPD employees on the system.\n\xe2\x80\xa2   Inspected the current moveLINQ user list and determined that accounts were assigned with\n    network IDs.\n\xe2\x80\xa2   Observed and noted that a moveLINQ user must reset their password upon initial login.\n\xe2\x80\xa2   Observed a moveLINQ user attempt to change their password to non-compliant passwords to\n    test length and complexity requirements and noted that the system prevented the changes.\n\xe2\x80\xa2   Observed a moveLINQ user enter the incorrect password 3 times and noted that the system\n    locked the user account.\n\xe2\x80\xa2   Inspected the user privileges with moveLINQ and determined that users were assigned in a\n    role based security configuration from highest to lowest.\n\n\nNo exceptions noted, except as described above.\n\n\n\n\n                                              72       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 18 \xe2\x80\x93 System Changes\n\nControls provide reasonable assurance that system software and application changes are tested,\napproved, and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for testing, approving, and documenting changes. ARC System\nAdministrators facilitators of the formal change management process via My Oracle Support,\nOracle on Demand\xe2\x80\x99s web-based service request system.\n\nAdditional information regarding the Oracle migration is contained in the Information and\nCommunication section of this report.\n\nOracle and PRISM\nFor Oracle and PRISM, ARC uses iET/My Oracle Support to document key steps for each\nchange: including the initial request, approval, and implementation into production.\n\nARC processes standard software releases (i.e., patches) for both Oracle and PRISM.\nAdditionally, ARC processes customized application extension changes to Oracle. The ability to\nprocess and apply Oracle and PRISM changes is restricted to the database administrators under\nthe coordination of Oracle on Demand.\n\nARC System Administrators, as designees of the system owner, serve as the primary initiators of\nchange requests. The following is indicated in the request: all the affected parties, a description\nof the change, the applicable instance, and the requested date of the change. PTSB staff develops\ncustomizations in separate development instances. QCB staff test changes by running test scripts\nand analyzing the results. Upon successful completion of testing, QCB staff approves the change\nrequest and forward it to the performer of the change, Oracle on Demand database administrators.\nAfter the approved request has been completed, the performer updates the request in iET/My\nOracle Support accordingly, and the request is then closed.\n\nFor emergency changes to a production instance of Oracle or PRISM, ARC requires verbal\napproval from a designated on-call manager (for all production instances). ARC System\nAdministrators document the emergency change in iET/My Oracle Support on the next business\nday.\n\nwebTA\nARC has a webTA maintenance agreement in place with immixTechnology, a vendor for Kronos\xe2\x80\x99\nwebTA product.\n\nFor webTA, ARC applies standard software releases (i.e., patches) only. Unlike Oracle, webTA\ndoes not have application extensions that are customizable by ARC.\n\nWhen a new webTA release is received from Kronos (the developer of webTA), QCB staff test\nthe new release in a separate test instance by running test scripts and analyzing the results. Upon\nsuccessful completion of customer acceptance testing, the QCB staff forward a request for\napplying the new webTA release to production to the appropriate parties for approval. The ability\nto apply webTA releases is restricted to the database administrators under the coordination of\nOIT. The new webTA release is not applied to production until it has been successfully tested\nand approved.\n\n\n                                              73        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cGovTrip\nGovTrip is hosted and maintained by NGMS at their facility. NGMS informs TSD of scheduled\nupdated system releases and the changes contained therein. System changes are also initiated by\nTSD Analysts who make enhancement requests to NGMS for changes to be included by NGMS\nin future scheduled release updates. TSD analysts test all GovTrip changes in a GovTrip\nacceptance test environment. If any of the changes included in a scheduled GovTrip release\nupdate fail TSD\xe2\x80\x99s acceptance testing, NGMS may delay implementation of the release update.\nTSD has documented procedures for testing GovTrip changes. Guidance is provided to customer\ncontacts on any changes.\n\nmoveLINQ\nmoveLINQ is hosted by OIT and maintained at BPD. moveLINQS informs the RSB Manager\nand moveLINQ System Administrators of scheduled updated system releases and the changes\ncontained therein. System changes are also initiated by moveLINQ System Administrators who\nmake enhancement requests to moveLINQS for changes to be included by moveLINQS in future\nscheduled release updates. moveLINQ System Administrators and users test all moveLINQ\nchanges in moveLINQ test environments. If any of the changes included in a scheduled\nmoveLINQ release update fail the testing, RSB may delay implementation of the update until the\nrelease passes the testing. RSB has documented procedures for testing and implementing\nmoveLINQ changes. RSB uses the Bureau\xe2\x80\x99s iETSolutions Workcenter (iET) to track changes to\nthe system.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures and determined that ARC had documented procedures for the\n    testing, approving, and documenting changes.\n\xe2\x80\xa2   Observed iET and noted that the system was designed to retain the necessary change\n    management documentation and noted when a change to iET was made.\n\xe2\x80\xa2   Inspected a selection of changes processed in the iET system and determined that the changes\n    were tested and approved prior to implementation to the production environment.\n\xe2\x80\xa2   Inspected the Oracle On Demand maintenance agreement and determined that the agreement\n    contained system upgrade and maintenance provisions.\n\xe2\x80\xa2   For a selection of ORACLE on Demand changes via My ORACLE Support, inspected\n    documentation of testing and determined that the changes were tested prior to implementation\n    in production.\n\xe2\x80\xa2   There were no emergency changes processed in the iET system. We inquired of management\n    about the emergency change process and inspected in iET that there were no emergency\n    changes recorded.\n\xe2\x80\xa2   Inspected the webTA system maintenance agreement and determined that it contained system\n    maintenance provisions and that it was current.\n\xe2\x80\xa2   Inspected a selection of webTA upgrades processed in the iET system and determined that\n    documentation of testing and approval was completed. There were no emergency changes\n    processed in the iET system. We inquired of management about the emergency change\n    process and inspected in iET that there were no emergency changes recorded.\n\xe2\x80\xa2   Inspected the GovTrip vendor support contract and determined that the contract was in place\n    and current.\n\n\n                                             74       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of GovTrip changes, inspected documentation of testing and determined that\n    changes were tested prior to implementation in production.\n\xe2\x80\xa2   Inspected written procedures and determined that the testing of GovTrip changes were in\n    accordance with the procedures.\n\xe2\x80\xa2   Inspected the moveLINQ system maintenance agreement and determined that it contained\n    system maintenance provisions and that it was current.\n\xe2\x80\xa2   For a selection of moveLINQ changes, inspected documentation of testing and determined\n    that changes were tested prior to implementation in production.\n\xe2\x80\xa2   Inspected written procedures for testing moveLINQ changes and determined that change\n    procedures were formally documented.\n\n\nNo exceptions noted.\n\n\n\n\n                                            75       Control Objectives, Related Controls, and\n                                                              Tests of Operating Effectiveness\n\x0cControl Objective 19 \xe2\x80\x93 Non-interruptive System Service\n\nControls provide reasonable assurance that interruptions due to operational failures are\nappropriately limited.\n\nDescription of Controls\n\nBPD has documented policies and procedures for controlling physical access to BPD buildings\nand to the data center. These include:\n    \xe2\x80\xa2   Identification of sensitive/critical areas to which access needs to be restricted.\n    \xe2\x80\xa2   Physical access controls designed to detect unauthorized access.\n    \xe2\x80\xa2   Procedures for log reviews and investigation of violations.\nThe Security Branch issues employee badges, after performing security background checks and\nfingerprinting.\nEmployees are required to have badges available at all times upon request.\nTerminated employees are required to surrender identification badges and are removed from the\nPhysical Access Control System (PACS) immediately.\nThe webTA, and moveLINQ servers reside in OIT\xe2\x80\x99s data center. Physical access to the OIT Data\nCenter is restricted to authorized users only. An employee needing access to the data center must\nhave his/her Branch Manager request access. The requests are made through iET, a workflow\nsystem that is used to approve data center access. After the Branch Manager completes and\nsubmits the iET request form, requests are forwarded to OIT's data center managers for approval\nin the iET. If OIT approves the request, the BPD Division of Security and Emergency\nPreparedness (DSEP) Security Branch grants access via PACS. Only designated DSEP\nspecialists have access to PACS. Access to all sensitive areas requires use of a badge. The use of\na badge provides an audit trail that is reviewed by OIT management monthly for potential access\nviolations. Any unauthorized access attempts are followed-up on by contacting the individual\xe2\x80\x99s\nsupervisor.\n\nIndividuals without badge access to the data center must be escorted to the command center and\nare required to sign in/out of a Visitor log to be issued a data center visitor badge. Visitor badges\ndo not have access to the data center, but rather designate the individual as a visitor. This log is\nmaintained at the main entrance to the data center.\n\nVendors that are authorized to have a badge are issued a one-day badge and must leave their\naccess badge onsite following completion of work in the data center. A log of One-Day badges is\nmaintained and reviewed daily.\n\nOIT performs a monthly review and reconciliation of individuals with data center access to\nindividuals authorized to have data center access. Additionally, OIT performs an annual review\nand recertification of individuals with access to the data center. If an individual is found to have\nunauthorized data center access, OIT will, based on the individual\xe2\x80\x99s need for access, make a\ndecision whether to request that DSEP remove their data center access or whether to provide\nauthorization for their access.\n\nFrom BPD's location, web sites, FTP servers, web servers, and aspects of intrusion detection are\nmonitored every ten minutes with a combination of software monitoring tools. The availability of\nnetwork infrastructure, such as switches and firewalls are monitored with a combination of\nsoftware monitoring tools. OIT's data center is physically monitored by environmental\n\n                                                76        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cmonitoring software that provides continuous checking and alarming capabilities for temperature\nchanges, water, and humidity threats. Fire detection and suppression systems are installed in the\ndata center. Redundant battery-powered uninterruptible power supplies and a backup generator\nprotect the data center from an unplanned loss of power. Redundant air conditioning systems\nprotect data center computers from overheating in the event of air conditioning equipment failure.\nOIT provides operations, support, capacity planning, performance monitoring, networking,\nsecurity monitoring, development, change management, back up, hardware acquisitions and\nmaintenance, and installation support for ARC.\n\nOracle\nSystem operations manuals are provided to each employee assigned system maintenance\nresponsibilities. The Oracle Support Team, within CSB, is available for users to call if they are\nexperiencing difficulties with the system. In addition, Oracle support personnel have access to\ninternal application setup and security documentation, as well as various manuals and\ndocumentation produced by the Oracle Corporation.\n\nPRISM\nPRISM user manuals are provided to end users. The PRISM Support Team within CSB, is\navailable for end users to call if they are experiencing difficulties with the system, and PRISM\napplication administrators have access to internal application setup and security documentation,\nas well as various manuals and documentation produced by Compusearch.\n\nwebTA\nwebTA support personnel have access to online documentation produced by Kronos. The Human\nResources Support Desk is available for users to call if they are experiencing difficulties with the\nsystem. QCB acts as a liaison between the Human Resources Support Desk and OIT to resolve\nsystem issues.\n\nOIT performs differential backups of the production system nightly and performs a full tape\nbackup weekly. The monthly backup tapes are sent to a long-term offsite facility.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nGovTrip\nARC TSD staff investigates and attempts to resolve any system issues noticed by the ARC staff\nor reported to TSD by GovTrip users. When possible, TSD staff resolves GovTrip issues. If\nTSD staff cannot resolve an issue, the issue is escalated to NGMS. TSD notifies system users of\nthe length of the expected outage or malfunction and notifies them again when the issue is\nresolved.\n\nmoveLINQ\nARC purchases new license agreements annually from mLINQS, which include all upgrades and\nservice packs, monthly per diem rates, Federal travel regulation updates, and unlimited technical\nsupport.\n\nmoveLINQ System Administrators investigate any system issues noticed by the OIT Database\nAdministrators or reported to them by moveLINQ users. When possible, moveLINQ System\nAdministrators resolve moveLINQ issues. If the administrator cannot resolve an issue, the issue\nis escalated to mLINQS, the vendor. The System Administrator notifies the users of the length of\nthe expected problem and notifies them again when the issue is resolved.\n\n\n\n                                               77       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cOIT performs differential backups of the moveLINQ production database nightly and performs a\nfull tape backup weekly. The nightly backups are kept on-site for four weeks. The monthly full\nbackup tapes are sent to a long-term off-site facility for two years.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nRSB maintains the data in the moveLINQ system for six years and three months.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected physical access policies and procedures for the data center and determined that they\n    were documented and that they included the identification of sensitive/critical areas to which\n    access needed to be restricted, physical access controls designed to detect unauthorized\n    access, and procedures for log reviews and investigation of violations.\n\xe2\x80\xa2   Observed physical access controls of BPD buildings and the OIT data center and noted that\n    security guards, video cameras, badge readers, and locked doors were in place and in\n    operation to restrict access.\n\xe2\x80\xa2   Observed persons entering BPD buildings and noted that persons were required to place any\n    materials, packages, bundles, etc. onto an x-ray machine, and additionally were required to\n    pass through a walkthrough metal detector.\n\xe2\x80\xa2   Observed persons entering BPD buildings and noted that an activation of the walkthrough\n    metal detector resulted in further screening by the security guard, utilizing a handheld metal\n    detector to identify the source of activation.\n\xe2\x80\xa2   Observed an entrant swipe their badge into the access control system and noted that the\n    controls system granted access to authorized personnel.\n\xe2\x80\xa2   Inspected a list of employees with card key access to the data center and tape storage room\n    from the card security system and an OIT phone list and determined that physical access to\n    the OIT data center was restricted to authorized employees only.\n\xe2\x80\xa2   For a selection of employees and contractors granted access to the data center, inspected the\n    iET record for the access granted and determined that access was approved by the data center\n    manager.\n\xe2\x80\xa2   For a selection of dates, inspected visitor logs and determined that visitor logs were used.\n\xe2\x80\xa2   For a selection of dates, inspected the daily shift logs and determined that an inventory of\n    vendor badges was performed.\n\xe2\x80\xa2   Inspected documentation of the monthly review of physical access privileges to the data\n    center and determined that access privileges were reviewed.\n\xe2\x80\xa2   Inspected documentation of the annual recertification of physical access privileges to the\n    datacenter and determined that access privileges were recertified.\n\xe2\x80\xa2   Observed the software monitoring tools and noted that these tools were installed and in use by\n    OIT staff.\n\xe2\x80\xa2   Observed variance monitoring logs and automatically generated alerts and noted that this\n    application provided monitoring over websites, FTP servers, and web servers and that OIT\n    staff reviewed these logs and alerts.\n\n\n\n                                               78        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Observed software availability and performance tools and programs and noted that tools and\n    programs were installed and in use by OIT staff and provided record of availability of\n    network infrastructure.\n\xe2\x80\xa2   Observed the environmental monitoring application and noted that the application was\n    installed and used to monitor OIT data center environmental conditions.\n\xe2\x80\xa2   Observed the OIT data center and noted that sprinklers, hand-held fire extinguishers, and\n    raised floors were present.\n\xe2\x80\xa2   Inspected completed maintenance work orders and inspection reports for the uninterruptible\n    power supply (UPS), and the emergency power generator and determined that the generator\n    and UPS were maintained.\n\xe2\x80\xa2   Observed deployed environmental controls and noted that environmental controls were\n    present.\n\xe2\x80\xa2   Observed the Oracle system operations manuals and noted that the manuals were available to\n    support personnel.\n\xe2\x80\xa2   Observed internal application setup and security documentation, as well as various manuals\n    and documentation produced by the Oracle Corporation and noted that Oracle support\n    personnel had adequate access to materials.\n\xe2\x80\xa2   Inspected PRISM application setup and security documentation and system manuals and\n    determined that documentation was available to support personnel.\n\xe2\x80\xa2   Inspected ARC\xe2\x80\x99s maintenance agreement for webTA and determined that it was current.\n\xe2\x80\xa2   Inspected a nightly selection of webTA production system backups and determined that\n    nightly differential and weekly full tape backups had been performed.\n\xe2\x80\xa2   Observed WebTA picking and packing lists and noted that the monthly backup tapes were\n    sent to a long-term offsite facility.\n\xe2\x80\xa2   Inspected the GovTrip incident escalation procedures and determined that the incident\n    escalation procedures were documented and available to support ARC staff personnel in\n    investigating and attempting to resolve any system issues.\n\xe2\x80\xa2   Inspected the GovTrip incident escalation procedures and determined that if a TSD staff\n    could not resolve an issue, the issue could be escalated to NGMS.\n\xe2\x80\xa2   Inspected ARC\xe2\x80\x99s maintenance agreement with mLINQS and determined that it required\n    mLINQS to provide software and technical support for moveLINQ.\n\xe2\x80\xa2   Inspected RSB System Administrators escalation procedures and determined that if an RSB\n    Administrator could not resolve an issue, the issue could be escalated to mLINQS.\n\xe2\x80\xa2   Inspected the agreement with the offsite storage vendor and determined that a formal\n    agreement was in place for the offsite storage of data.\n\xe2\x80\xa2   Inspected a nightly selection of the MoveLINQ production system backups and determined\n    that nightly differential and weekly full tape backups were performed.\n\xe2\x80\xa2   Observed moveLINQ picking and packing lists and noted that weekly backup tapes were sent\n    to an offsite facility on a monthly basis.\n\nNo exceptions noted.\n\n\n\n                                            79       Control Objectives, Related Controls, and\n                                                              Tests of Operating Effectiveness\n\x0cControl Objective 20 \xe2\x80\x93 Records Maintenance\n\nControls provide reasonable assurance that source document files are retained and safeguarded in\naccordance with ARC and BPD\xe2\x80\x99s Records Management Office policies and procedures.\n\nDescription of Controls\n\nmoveLINQ\nOIT performs backups of specified distributed systems and applications as identified by the data\nowners. These backups are performed by the guidelines set forth in the Standard Operating\nProcedures. Once the backups have been completed, the media can be moved to an alternate\nfacility as long as the data is encrypted. Once media is identified as needing to be moved off-site,\nEnterprise Infrastructure Branch (EIB)/Data Archival and Retrieval Team (DART) is notified\nwith the specified media ID numbers and the desired retention period. EIB/DART will remove\nthe specified media from the tape library and send it to CAPS in sealed containers. The location\nof media is tracked by the various systems that create the images on the media using data backup\nutilities. In addition, EIB/DART maintains copies of all contingency site transmittal sheets that\nlist the media sent in each shipment. Once a week media is picked up and returned by the off-site\nstorage provider. Long-term offsite storage is provided through a contract. Authority to recall\ntapes from off-site is limited to those individuals identified on a list maintained by the off-site\nstorage provider.\n\nBased on the requirements for the data in the accounting, procurement and relocation systems,\nbackup tapes are created daily, weekly, and monthly. Daily backups are retained onsite for four\nweeks in the data center tape vault. Weekly backups are retained for eight weeks onsite and\nmonthly backup tapes for two years to indefinitely depending on the data contained, are stored\noffsite with a tape storage vendor. For the HR time clock system tapes are created weekly and\nstored off site for two to eleven years depending on the data.\n\nWhen tapes are returned from long-term storage, OIT reconciles the shipment that they have\nreceived to their records of the tapes expected to be returned.\n\nOn an annual basis, OIT performs a full physical inventory of all backup tapes that are in BPD\xe2\x80\x99s\npossession, both at the data center tape library in Parkersburg, West Virginia and at the BPD\xe2\x80\x99s\ncontingency site.\n\nNetwork File Servers\nDifferential tape backups of network servers are created daily. On a weekly basis, OIT completes\na full back up of all ARC shared network files to a data tape. OIT retains the backup tapes for\nfive weeks.\n\nRecord Storage\nCA Records Manager is a National Archives and Records Administration (NARA) approved\nrecords storage system used by ARC. Hard copy data records are kept in folders and/or binders\non-site for one or two years. When hard copy data records are ready to be transferred off-site,\nthey are either stored in boxes or they are scanned and stored electronically.\n\nData records that will be retained in hard copy are packed into boxes and sent to off-site storage.\nPrior to sending the boxes off-site, a description of the data being stored in the box, including the\nbox\xe2\x80\x99s latest document date, and approved retention authority is entered into CA Records\nManager. BPD's Records Management Office approves the box for storage and produces a label\nthat is placed on the box. The label includes a unique box number, bar code and box description.\n\n                                               80        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cThe destruction date is calculated using the approved retention period and the latest document\ndate.\n\nHard copy data records may also be scanned and saved electronically in CA Records Manager.\nData records are stored in CA Records Manager folders based on the data's calculated destruction\ndate using the approved retention period and the latest document date. This method provides for\nquicker access to archived data.\n\nFor relocation documents, active hard copy records are locked after hours. Inactive and closed\nhard copy records are maintained in a locked onsite storage room.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Observed the online tape management system and noted that data was encrypted prior to\n    being written to tape and sent off site.\n\xe2\x80\xa2   Inspected a list of individuals with authority to recall tapes from offsite storage and inquired\n    of Management regarding their job descriptions and determined that authority to recall tapes\n    was commensurate with job responsibilities.\n\xe2\x80\xa2   Observed the online tape management system and contingency site Tape Manifests and noted\n    that tapes were kept at three separate locations.\n\xe2\x80\xa2   Inspected the agreement with the offsite storage vendor and determined that a formal\n    agreement was in place for the offsite storage of media.\n\xe2\x80\xa2   Observed Operations Personnel step through the process of opening received packages of\n    tapes from the contingency site and noted that they compared the contents of the package to\n    the tape management records.\n\xe2\x80\xa2   Inspected full physical inventory documents of all backup tapes that were in BPD\xe2\x80\x99s\n    possession and determined that the annual tape inventory was performed.\n\xe2\x80\xa2   For a selection of network file servers used by ARC, inspected system-generated backup\n    schedules and backup logs and determined that daily differential backups and weekly full\n    backups of the file server were scheduled and successfully completed.\n\xe2\x80\xa2   Observed the location of the on-site hard copy records and noted that the hard copy records\n    were stored on-site in folders for a specified time period.\n\xe2\x80\xa2   Inspected an example of a hard copy records offsite shipment box and determined that\n    appropriate descriptions were documented.\n\xe2\x80\xa2   Inspected an example of hard copy records offsite shipment logs and determined that the hard\n    copy records were labeled and stored.\n\xe2\x80\xa2   Inspected hard copy records destruction logs and determine that the hard copy records were\n    labeled and stored.\n\xe2\x80\xa2   Observed the CA Records Manager system and noted that the records could be created,\n    requested, and saved electronically using CA Records Manager.\n\xe2\x80\xa2   Observed the location of the active hard copy data records and noted that the hard copy\n    records were locked after hours.\n\xe2\x80\xa2   Observed the location of the inactive hard copy data records and noted that the hard copy\n    records were stored in a locked onsite storage room.\n\n                                               81        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected the list of authorized individuals that had access to the onsite storage room and\n    determined that only authorized individuals had access.\n\n\nNo exceptions noted.\n\n\n\n\n                                             82       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cIV. OTHER INFORMATION PROVIDED BY THE\n       BUREAU OF THE PUBLIC DEBT\n\n\n\n\n                83\n\x0cCONTINGENCY PLANNING\n\nSystem Back Up\nThe Oracle Federal Financials (Oracle) accounting system has a contingency plan managed by\nthe Administrative Resource Center (ARC). There is a formal ARC Business Continuity Plan\n(BCP), which was last updated in June 2011. All essential Oracle functions will be performed at\nthe contingency site with the support of ARC employees. Full disaster recovery testing is\nperformed on an annual basis in conjunction with the Bureau of the Public Debt\xe2\x80\x99s (BPD), Office\nof Information Technology (OIT), Data Center\xe2\x80\x99s Disaster Recovery Plan (DRP). Access to both\nthe primary and contingency instances of the accounting system are available from the\ncontingency site. The Oracle primary database servers, located at Oracle on Demand's primary\nsite in Austin, TX, are replicated near real time using Data Guard to a contingency location.\nOracle's Network File System (NFS) serves as the secondary back up of live data for the\napplication. Data from the NFS is sent to tape back-up twice weekly and stored at an off site\nlocation. These tapes serve as a tertiary back-up.\n\nOIT performs differential backups of the moveLINQ production database nightly and performs a\nfull tape backup weekly. The nightly backups are kept on-site for four weeks. The monthly full\nbackup tapes are sent to a long-term off-site facility for two years. The moveLINQ application is\ntested annually using a table top exercise.\n\nNGMS is responsible for system backup of GovTrip and maintains data in their Business Data\nWarehouse for six years and three months.\n\nContinuity of Operations\nA fire alarm and sprinkler system that is managed, maintained, and tested by the building\nmanagement protects ARC and OIT facilities. Alarms are active 24 hours a day, 7 days a week,\nand are tied to a local alarm services company for spontaneous notification. Sprinkler heads are\nlocated in the ceiling of each room of the buildings. This is a \xe2\x80\x9cwet pipe\xe2\x80\x9d (always charged with\nwater) system with individual heads that discharge water.\n\nIn the event the main building becomes inoperable, network operations would be relocated to the\nKansas City Regional Operations Center (KROC) facility in accordance with the OIT data\ncenter\xe2\x80\x99s DRP. This facility employs a \xe2\x80\x9cwarm site\xe2\x80\x9d strategy for recovery of network operations.\n\nAs part of the ARC BCP, should ARC facilities become unavailable, essential ARC personnel\nwill relocate to established telework locations to reestablish their essential functions.\n\n\n\n\n                                             84\n\x0c"